No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Is this the correct way to go? Is it feasible that you might specify a different account for this purpose than the one being used to run the deployment? I think providing the correct service account name as a stack config parameter might be more robust.

You’re absolutely right! The more I was messing around with this idea, the more I’ve come to the same conclusion. I think the best would be to create a service account that only has CloudRun privileges and Secret Manager Accessor in this case :slightly_smiling_face: