hey guys, is there any way to get a reference of the user/serviceaccount that is running the pulumi command? I’m trying to create a

GCP CloudRun

service, but as specified in the docs, unless you specify a

ServiceTemplateSpec serviceAccountName

it will use the default cloud engine service account which has Editor permissions and therefore gets a permission denied on SecretManager resources for example. I’m setting my service account credentials in my stack config file through the

gcp:credentials

value. Any help or tips would be greatly appreciated!

Is this the correct way to go? Is it feasible that you might specify a different account for this purpose than the one being used to run the deployment? I think providing the correct service account name as a stack config parameter might be more robust.

You’re absolutely right! The more I was messing around with this idea, the more I’ve come to the same conclusion. I think the best would be to create a service account that only has CloudRun privileges and Secret Manager Accessor in this case 🙂