1. Answers
  2. Setting Permissions for Google Container Registry and Google Cloud Run

How do I set permissions for Google Container Registry and Google Cloud Run?

To set up and manage permissions for Google Container Registry (GCR) and Google Cloud Run, you need to configure specific IAM roles and permissions. Generally, you’ll grant roles that allow a service account or user to interact with the GCR and Cloud Run resources securely. We will create a service account and assign the necessary roles.

Here’s a detailed explanation of what the code does:

  1. google_project: Specifies the project where resources will be deployed.
  2. google_service_account: Creates a service account which will be given permissions to manage GCR and Cloud Run.
  3. google_project_iam_binding: Binds the required IAM roles to the service account for GCR and Cloud Run.

The relevant IAM roles include:

  • roles/storage.objectViewer: Allows the service account to view and pull images from GCR.
  • roles/storage.objectAdmin: Provides permissions to manage objects in GCR.
  • roles/run.admin: Gives full management permissions for Cloud Run services.
  • roles/iam.serviceAccountUser: Allows the service account to act as a Cloud Run service.

Below is the complete example setting up these permissions:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Define a Google Cloud project
const myProject = new gcp.organizations.Project("my_project", {
    name: "My Project",
    projectId: "my-gcp-project",
    orgId: "your-organization-id",
});
// Create a service account for interacting with GCR and Cloud Run
const gcrCloudrunSa = new gcp.serviceaccount.Account("gcr_cloudrun_sa", {
    accountId: "gcr-cloudrun-sa",
    displayName: "Service Account for GCR and Cloud Run",
});
// Assign required IAM roles for GCR and Cloud Run to the service account
const gcrViewerBinding = new gcp.projects.IAMBinding("gcr_viewer_binding", {
    project: myProject.projectId,
    role: "roles/storage.objectViewer",
    members: [pulumi.interpolate`serviceAccount:${gcrCloudrunSa.email}`],
});
const gcrAdminBinding = new gcp.projects.IAMBinding("gcr_admin_binding", {
    project: myProject.projectId,
    role: "roles/storage.objectAdmin",
    members: [pulumi.interpolate`serviceAccount:${gcrCloudrunSa.email}`],
});
const cloudRunAdminBinding = new gcp.projects.IAMBinding("cloud_run_admin_binding", {
    project: myProject.projectId,
    role: "roles/run.admin",
    members: [pulumi.interpolate`serviceAccount:${gcrCloudrunSa.email}`],
});
const serviceAccountUserBinding = new gcp.projects.IAMBinding("service_account_user_binding", {
    project: myProject.projectId,
    role: "roles/iam.serviceAccountUser",
    members: [pulumi.interpolate`serviceAccount:${gcrCloudrunSa.email}`],
});

In this example, we defined a service account and assigned it the necessary permissions to manage and interact with Google Container Registry and Google Cloud Run. This setup ensures that the service account can pull images from GCR and deploy/manage services in Cloud Run.

The code concludes by ensuring permissions through IAM role bindings, setting up the service account with appropriate access as defined in the project configuration.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up