Set build service account (source deploy)

During the source deployment of a function, Cloud Run leverages Cloud Build when building and deploying your function.

This page shows how to set a user-specified service account for Cloud Build to use when executing builds of the function on your behalf. This guide is relevant for platform developers who are deploying functions in Cloud Run and need to customize the build service account used by Cloud Build.

Before you begin

1. Enable the Cloud Build API:

   gcloud services enable cloudbuild.googleapis.com

2. Create a service account, or have an existing service account, to use as the service account for Cloud Build.

Required roles

You or your administrator must grant the deployer account and the Cloud Build service account the following IAM roles.

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Specify a Cloud Build service account

By default, if a Cloud Build service account isn't specified when deploying a function from source, Cloud Build uses the default Cloud Build service account.

As a best practice for following the principle of least privilege to improve the security posture of your function, we recommend that you specify your own service account to run your builds when deploying a function from source.

gcloud beta run deploy SERVICE \
  --source . \
  --function FUNCTION_ENTRY_POINT \
  --build-service-account BUILD_SERVICE_ACCOUNT