When you assign service account to a Cloud Run service, what does exactly happen?

Question

I am trying to understand what does assigning service account to a Cloud Run service actually do in order to improve the security of the containers. I have multiple processes running within a Cloud Run service and not all of them do need to access the project resources.

A more specific question I have in mind is: Would I be able to create multiple users and run some processes as a user that does not have access to the service account or does every user have access to the service account?

I run a small experiment on a VM instance (I guess this will be a similar case as with Cloud Run) where I created a new user and after creation, it wasn't authorized to use the service account of the instance. However, I am not sure is there a way to authorize it which would make my method insecure.

Thank you.

EDIT

To perform the test I created a new os user and used "gcloud auth list" from the new user account. However, I should have made a curl request and I would have been able to retrieve credentials as pointed out by an answer below.

Answer 1

Your question is not very clear to me but I will try to provide you several inputs.

When you run a service on Cloud Run, you have 2 choices for defining its identity

• Either it's the compute engine service account which is used (by default, is you specify nothing)
• Or it's the service account that you specify at the deployment

This service account is valid for the Cloud Run service (you can have up to 1000 different services per project).

Now, when you run your container, the service account is not really loaded into the container (it's the same thing with compute engine), but there is an API available for requesting the authentication data of this service account. It's name metadata server

It's not restricted to users (I don't know how you perform your test on Compute Engine!), a simple curl is enough for getting the data.

This metadata server is used when you use your libraries, for example, and you use the "default credentials". gcloud SDK also uses it.

I hope you have a better view now. If not, add details in your question or in the comments.

Answer 2

Just to add the previous answers, if you are using something like Cloud Build,here is how you can implement it

steps:
  - name: gcr.io/cloud-builders/gcloud
    args:
      - '-c'
      - "gcloud secrets versions access latest --secret=[SECRET_NAME] \t --format='get(payload.data)' | tr '_-' '/+' | base64 -d > Dockerfile"
    entrypoint: bash
  - name: gcr.io/cloud-builders/gcloud
    args:
      - '-c'
      - gcloud run deploy [SERVICE_NAME] --source . --region=[REGION_NAME] --service-account=[SERVICE_ACCOUNT]@[PROJECT_ID].iam.gserviceaccount.com --max-instances=[SPECIFY_REQUIRED_VALUE]
    entrypoint: /bin/bash
options:
  logging: CLOUD_LOGGING_ONLY

I am using this in a personal project but I will explain what is happening here. The first one is pulling data from my Secret Manager where I am storing a Dockerfile with the secret environment variables. This is optional, if you are not storing any API keys and secrets,you can skip it. But if you have a different folder structure (ie that isn't flat)

The second deploys Cloud Run from the source code. The documentation for that can be found here. https://cloud.google.com/run/docs/deploying-source-code

Answer 3

The keyword that's missing from guillaume’s answer is "permissions".

Specifically, if you don't assign a service account, Cloud Run will use the Compute Engine default service account.

This default account has Editor role on your project (in other words, it can do nearly anything on your GCP project, short of creating new service accounts and giving them access, and maybe deleting the GCP project). If you use default service account and your container is compromised, you're probably in trouble. ⚠️

However, if you specify a new --service-account, by default it has no permissions. You have to bind it roles or permissions (e.g. GCS Object Reader, PubSub Publisher...) that your application needs.