No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

hey guys, is there any way to get a reference of the user/serviceaccount that is running the pulumi command?
I’m trying to create a `GCP CloudRun` service, but as specified in the docs, unless you specify a `ServiceTemplateSpec serviceAccountName` it will use the default cloud engine service account *which has Editor permissions and therefore gets a permission denied on SecretManager resources for example.* I’m setting my service account credentials in my stack config file through the `gcp:credentials` value.
Any help or tips would be greatly appreciated!

Is this the correct way to go? Is it feasible that you might specify a different account for this purpose than the one being used to run the deployment? I think providing the correct service account name as a stack config parameter might be more robust.

You’re absolutely right! The more I was messing around with this idea, the more I’ve come to the same conclusion. I think the best would be to create a service account that only has CloudRun privileges and Secret Manager Accessor in this case :slightly_smiling_face: