- Knowledge Base
- Google Cloud Platform
- GCP Cloud Run
- Cloud Run Services with Inactive Service Accounts
Ensure that your Cloud Run services are are referencing existing, active service accounts in order to prevent execution failures and operational disruptions.
Operationalexcellence
A service account is essential for a Cloud Run service to execute successfully. It provides the necessary permissions and credentials for the service to access other resources and perform its tasks within the GCP cloud environment. If the service account is disabled or deleted, the service will fail to run, leading to service interruptions and potential data loss.
Audit
To determine if the service account associated with your Cloud Run service exists and is active, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.
03 Navigate to Cloud Run console available at https://console.cloud.google.com/run/.
04 Select the SERVICES tab to view the Cloud Run services deployed for the selected GCP project.
05 Click on the name (link) of the service that you want to examine, listed in the Name column.
06 Select the REVISIONS tab, choose the active revision used by the selected service (the revision with the green check mark icon), select the SECURITY tab, and copy the service account email available for the Service account attribute, listed under Identity & Encryption.
07 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam.
08 In the left navigation panel, choose Service accounts to list the service accounts created for the selected GCP project.
09 Click inside the Filter box, choose Email, paste the service account email copied at step no. 6, and press Enter. If no results are returned and the console shows the following message: No rows to display, the service account associated with the selected Cloud Run service is not available anymore (i.e. deleted), causing the service to fail during execution. If the console returns a service account for the specified email but the resource Status is set to Disabled, the service account associated with the selected service is disabled, causing a runtime error.
10 Repeat steps no. 5 - 9 for each Cloud Run service created for the selected GCP project.
11 Repeat steps no. 2 - 10 for each project deployed within your Google Cloud account.
Using GCP CLI
01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account:
gcloud projects list --format="value(projectId)"
02 The command output should return the requested GCP project ID(s):
cc-bigdata-project-123123 cc-iot-app-project-112233
03 Run services list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Cloud Run service deployed within the selected project:
gcloud run services list --project cc-bigdata-project-123123 --format="(NAME,REGION)"
04 The command output should return the requested service names and the associated regions:
NAME: cc-project5-service REGION: us-central1 NAME: tm-stream-service REGION: us-central1 NAME: tm-vertex-service REGION: us-central1
05 Run services describe command (Windows/macOS/Linux) with the name of the Cloud Run service that you want to examine as the identifier parameter, to describe the email of the service account associated with the selected service:
gcloud run services describe cc-project5-service --region=us-central1 --format="value(spec.template.spec.serviceAccountName)"
06 The command output should return the email of the service's service account:
tm-cloud-run-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com
07 Run service-accounts describe command (Windows/macOS/Linux) with the email of the service account returned at the previous step as the identifier parameter, to describe the configuration information available for the specified service account:
gcloud iam service-accounts describe tm-cloud-run-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com --format="json"
08 The command output should return the requested configuration information:
{
"disabled": true,
"displayName": "Cloud Run service account",
"email": "tm-cloud-run-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com",
"etag": "ABCD1234ABCD",
"name": "projects/cc-bigdata-project-123123/serviceAccounts/tm-cloud-run-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com",
"projectId": "cc-bigdata-project-123123"
}
If the service-accounts describe command output returns an error message such as: ERROR: (gcloud.iam.service-accounts.describe) PERMISSION_DENIED: Permission 'iam.serviceAccounts.get' denied on resource (or it may not exist), the service account associated with the selected Cloud Run service is not available anymore (i.e. deleted), causing the service to fail during execution. If the command output returns the service account information, as shown in the example above, check the "disabled" attribute value to determine the service account current status. If "disabled" is set to true, the service account associated with the selected service is disabled, causing a runtime error.
09 Repeat steps no. 5 - 8 for each Cloud Run service created for the selected GCP project.
10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.
Remediation / Resolution
To create and configure service accounts for your Google Cloud Run services, perform the following operations:
Using GCP Console
01 Sign in to the Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.
03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin/iam and choose Service accounts.
04 If the service account associated with your Cloud Run service is disabled, click on the 3-dot button available in the Actions column, choose Enable and select ENABLE from the confirmation box to activate your service's service account. Enabling this service account will reactivate its existing keys.
05 If the service account associated with your Cloud Run service is no longer available, choose CREATE SERVICE ACCOUNT, and perform the following actions to create a new service account:
- For Service account details, provide a unique name and short description for the new service account. Choose CREATE AND CONTINUE to continue the setup process.
- For Grant this service account access to project, grant the appropriate access by selecting an IAM role from the Select a role dropdown list. (Optional) To add conditions, choose ADD IAM CONDITION to define your IAM conditions. Choose CONTINUE to continue the setup.
- (Optional) For Grant users access to this service account, grant access to users and/or groups that need to perform actions as this service account.
- Choose DONE to deploy your new service account.
06 Navigate to Cloud Run console available at https://console.cloud.google.com/run/.
07 Select the SERVICES tab to access the Cloud Run services deployed for the selected GCP project.
08 Click on the name (link) of the service that you want to configure, listed in the Name column.
09 Choose EDIT & DEPLOY NEW REVISION, select the SECURITY tab, select your new service account from the Service account dropdown list, and choose DEPLOY to apply the changes and deploy a new revision for the selected service.
10 Repeat steps no. 3 - 9 for each Cloud Run service that you want to configure, available within the selected project.
11 Repeat steps no. 2 – 10 for each project deployed in your Google Cloud account.
Using GCP CLI
01 If the service account associated with your Cloud Run service is disabled, run iam service-accounts enable command (Windows/macOS/Linux) to enable your service's service account:
gcloud iam service-accounts enable tm-cloud-run-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com
02 The command output should return the email of the reactivated service account:
Enabled service account [tm-cloud-run-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com].
03 If the service account associated with your Cloud Run service is no longer available (i.e. deleted), run iam service-accounts create command (Windows/macOS/Linux) to create a new GCP service account for your Cloud Run service:
gcloud iam service-accounts create tm-cloud-run-service-account --display-name="Cloud Run Service Account" --project cc-bigdata-project-123123 --format="table(email)"
04 The command output should return the email of the new service account:
Created service account [tm-cloud-run-service-account]. EMAIL: tm-cloud-run-service-account1@cc-bigdata-project-123123.iam.gserviceaccount.com
05 Run add-iam-policy-binding command (Windows/macOS/Linux) to grant the appropriate IAM role to the newly created service account in order to allow that service account access to relevant resources. The following example assigns the Cloud Run Invoker role (i.e., roles/run.invoker) to the new service account:
gcloud projects add-iam-policy-binding cc-bigdata-project-123123 --member serviceAccount:tm-cloud-run-service-account1@cc-bigdata-project-123123.iam.gserviceaccount.com --role roles/run.invoker
06 The command output should return the updated project IAM policy:
Updated IAM policy for project [cc-bigdata-project-123123]. bindings: - members: - serviceAccount:tm-cloud-run-service-account1@cc-bigdata-project-123123.iam.gserviceaccount.com role: roles/run.invoker - members: - serviceAccount:123456789012-compute@developer.gserviceaccount.com role: roles/editor - members: - user:user@domain.com role: roles/monitoring.admin - members: - user:user@domain.com role: roles/owner etag: ABCDABCDABCD version: 1
07 Run services deploy command (Windows/macOS/Linux) with the name of the Cloud Run service that you want to configure as the identifier parameter, to replace the missing service account associated with the selected service with your newly created service account:
gcloud run services update cc-project5-service --region=us-central1 --service-account=tm-cloud-run-service-account@cc-bigdata-project-123123.iam.gserviceaccount.com
08 The command output should return the build information available for the redeployed service:
OK Deploying... Done. OK Creating Revision... OK Routing traffic... Done. Service [cc-project5-service] revision [cc-project5-service-00003-abc] has been deployed and is serving 100 percent of traffic. Service URL: https://cc-project5-service-123456789012.us-central1.run.app
09 Repeat steps no. 1 - 8 for each Cloud Run service that you want to configure, available in the selected project.
10 Repeat steps no. 1 – 9 for each GCP project deployed in your Google Cloud account.
References
- Google Cloud Platform (GCP) Documentation
- Types of service accounts
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud run services list
- gcloud run services describe
- gcloud iam service-accounts describe
- gcloud iam service-accounts create
- gcloud projects add-iam-policy-binding
- gcloud run services update
Related CloudRun rules
- Check for Publicly Accessible Cloud Run Services (Security, reliability, cost-optimisation, performance-efficiency, operational-excellence)
- Check for the Maximum Number of Container Instances (Cost-optimisation, operational-excellence)
- Configure Dead Lettering for Pub/Sub-Triggered Services (Reliability, operational-excellence)
- Cloud Run Service Runtime Version (Security, reliability, cost-optimisation, operational-excellence, sustainability)