This message was deleted.
# getting-started
s
This message was deleted.
c
also, If I choose to attach a specific service account per cloudrun service, how can I authorize that account without creating a catch 22?
I made some progress here. In my environment gcp projects, I didn't have cloud run enabled. So once I enabled it, the following accounts got created: project-number-compute@developer.gserviceaccount.com Which I could then authorize for artifact reads in the shared gcp project.
However, Still not sure what to do if I need to assign a specific service account to the cloud run service in the env.
Alright folks, I think I've figured this out. the gcp deploy service runs as service-<project num>@serverless-robot-prod.iam.gserviceaccount.com The service itself runs as <project num>-compute@developer.gserviceaccount.com So, to authorize deploy, you can attach the registry reader role to the service- and to lock down permissions on the service itself you can create a new restricted service account. No catch 22 or circular dependency.