This message was deleted.

sparse-intern-71089

11/01/2023, 4:35 PM

This message was deleted.

colossal-tailor-72573

11/01/2023, 4:43 PM

also, If I choose to attach a specific service account per cloudrun service, how can I authorize that account without creating a catch 22?

colossal-tailor-72573

11/01/2023, 11:13 PM

I made some progress here. In my environment gcp projects, I didn't have cloud run enabled. So once I enabled it, the following accounts got created: project-number-compute@developer.gserviceaccount.com Which I could then authorize for artifact reads in the shared gcp project.

colossal-tailor-72573

11/01/2023, 11:14 PM

However, Still not sure what to do if I need to assign a specific service account to the cloud run service in the env.

colossal-tailor-72573

11/02/2023, 12:57 AM

Alright folks, I think I've figured this out. the gcp deploy service runs as service-<project num>@serverless-robot-prod.iam.gserviceaccount.com The service itself runs as <project num>-compute@developer.gserviceaccount.com So, to authorize deploy, you can attach the registry reader role to the service- and to lock down permissions on the service itself you can create a new restricted service account. No catch 22 or circular dependency.

3 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.