Isolating AI Workloads with Cloud Run Service-Level Permissions

Question

Pulumi · Accepted Answer

To isolate AI workloads in Google Cloud Run and manage service-level permissions, we can leverage IAM (Identity and Access Management) policies. By setting these policies, we define who has access to your Cloud Run service and at what level.

In a Pulumi program, we would use resources like `ServiceIamPolicy`, `IamBinding`, or `IamMember` for the Cloud Run service. These allow us to attach IAM roles to a service, granting specific permissions to users, groups, or service accounts.

Below is a program that sets up a Cloud Run service along with its IAM policy to restrict access. We will use `gcp.cloudrunv2.Service` to create a Cloud Run service and `gcp.cloudrun.IamMember` to grant a user the `roles/run.invoker` role, which allows invoking the service.

### Explanation

- **Cloud Run Service**: Creating a Cloud Run service where we can deploy our AI workload.
- **IAM Member for Cloud Run Service**: We assign IAM permissions to the service, ensuring only specific users or service accounts have the rights to invoke the service.
- **Service Account Creation**: To illustrate end-to-end IAM management, a new service account is created. This could represent an AI workload or process needing access to invoke the service.
- **IAM Member Resource**: Binding the `roles/run.invoker` permission to the service account, restricting access so only this account can invoke the service.

### Pulumi Program

```python
import pulumi
import pulumi_gcp as gcp

# Create a Google Cloud Run service to deploy an AI workload.
cloud_run_service = gcp.cloudrunv2.Service("ai-workload-service",
    location="us-central1",
    template={
        "containers": [{
            "image": "gcr.io/google-containers/hello-app:1.0", # Placeholder for AI workload container image.
        }],
    })

# Create a new Google Cloud service account for the AI workload.
ai_service_account = gcp.serviceaccount.Account("ai-service-account",
    account_id="ai-workload-account",
    display_name="AI Workload Service Account",
)

# Bind the 'roles/run.invoker' role to the new service account,
# granting it permission to invoke the Cloud Run service.
cloud_run_invoker_binding = gcp.cloudrun.IamMember("ai-invoker-binding",
    service=cloud_run_service.name,
    location=cloud_run_service.location,
    role="roles/run.invoker",
    member=pulumi.Output.concat("serviceAccount:", ai_service_account.email),
)

# Export the Cloud Run service URL.
pulumi.export("service_url", cloud_run_service.statuses.apply(lambda statuses: statuses[0]["url"]))
# Export the service account email.
pulumi.export("service_account_email", ai_service_account.email)
```

In this program, we've set up a simple Cloud Run service and attached the minimum necessary IAM role to a service account, allowing it to invoke the service—providing a basic example of isolating AI workloads with service-level permissions in the cloud.

Each resource is declared with a Python class provided by the `pulumi_gcp` library. The `pulumi.Output.concat` function is used to build the service account's email into the necessary IAM format. Lastly, we export the service URL and service account email address, which could be used in other parts of your infrastructure or application.