Set build service account (source deploy)

During source deployments, Cloud Run leverages Cloud Build when building and deploying your Cloud Run service.

This page shows how to set a user-specified service account for Cloud Build to use when executing builds of the service on your behalf. This guide is relevant for platform developers who are deploying Cloud Run services or functions using the Google Cloud CLI and need to customize the build service account used by Cloud Build. The build service account gcloud CLI flag is supported for source deployments (--source), and not supported for container image deployments (--image).

Before you begin

1. Enable the Cloud Build API:

   gcloud services enable cloudbuild.googleapis.com

2. Create a service account, or have an existing service account, to use as the Cloud Build service account.

Required roles

You or your administrator must grant the deployer account and the Cloud Build service account the following IAM roles.

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Specify a Cloud Build service account

By default, if a Cloud Build service account isn't specified when deploying a service or function from source, Cloud Build uses the default Cloud Build service account.

As a best practice for following the principle of least privilege to improve the security posture of your service, we recommend that you specify your own service account to run your builds when deploying a service from source.

gcloud beta run deploy SERVICE \
    --source . \
    --build-service-account projects/PROJECT_ID/serviceAccounts/BUILD_SERVICE_ACCOUNT