During source deployments, Cloud Run leverages Cloud Buildwhen building and deploying your Cloud Run service.

This page shows how to set auser-specified service accountfor Cloud Build to use when executing builds of the service on your behalf.This guide is relevant for platform developers who are deployingCloud Runservices orfunctions using the Google Cloud CLI and need tocustomize the build service account used by Cloud Build. The build serviceaccount gcloud CLI flag is supported forsource deployments (--source), and notsupported forcontainer image deployments (--image).

Before you begin

1. Enable the Cloud Build API:

   gcloudservicesenablecloudbuild.googleapis.com

2. Create a service account, or have anexisting service account, to use as the Cloud Build serviceaccount.

Required roles

You or your administrator must grant the deployer account and theCloud Build service account the following IAM roles.

For a list of IAM roles and permissions that are associated withCloud Run, seeCloud Run IAM rolesandCloud Run IAM permissions.If your Cloud Run service interfaces withGoogle Cloud APIs, such as Cloud Client Libraries, see theservice identity configuration guide.For more information about granting roles, seedeployment permissionsandmanage access.

Specify a Cloud Build service account

By default, if a Cloud Build service account isn't specified whendeploying aservice orfunction from source,Cloud Build uses thedefault Cloud Build service account.

As a best practice for following the principle of least privilege to improve thesecurity posture of your service, we recommend that you specify your own serviceaccount to run your builds when deploying a service from source.

gcloudrundeploySERVICE\--source.\--build-service-accountprojects/PROJECT_ID/serviceAccounts/BUILD_SERVICE_ACCOUNT