No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

also, If I choose to attach a specific service account per cloudrun service, how can I authorize that account without creating a catch 22?

I made some progress here.

In my environment gcp projects, I didn't have cloud run enabled. So once I enabled it, the following accounts got created:

<project-number>-<mailto:compute@developer.gserviceaccount.com|compute@developer.gserviceaccount.com>

Which I could then authorize for artifact reads in the shared gcp project.

However, Still not sure what to do if I need to assign a specific service account to the cloud run service in the env.

Alright folks, I think I've figured this out.

the gcp deploy service runs as service-&lt;project num&gt;@serverless-robot-prod.iam.gserviceaccount.com

The service itself runs as &lt;project num&gt;-<mailto:compute@developer.gserviceaccount.com|compute@developer.gserviceaccount.com>

So, to authorize deploy, you can attach the registry reader role to the service- and to lock down permissions on the service itself you can create a new restricted service account. No catch 22 or circular dependency.