How to Create a GCP Service Account to Run Prefect Flows

ryan_peden · November 2, 2022, 11:53pm

Google Cloud Run jobs are a great way to run serverless Prefect flows, but setting up a service account with the right permissions can be tricky.

A service account that works with the Prefect’s Cloud Run Job infrastructure block needs two roles:

Cloud Run Admin
Service Account User

You can create an account with these roles via the GCP portal or the gcloud CLI.

GCP Portal (UI)

After creating a project, go to the project dashboard and click IAM & Admin > Service accounts > Create service account. Then, add both roles when creating the service account:

`gcloud` CLI

Here is how you can accomplish the same with the gcloud CLI.

First, create the service account by running the command with your own values instead of placeholders:

gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
    --description="DESCRIPTION" \
    --display-name="DISPLAY_NAME"

Then, add the first role:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/run.admin"

If you don’t know your project’s ID, you can find it on the project’s main dashboard page in the GCP portal.

Now, add the second role:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.serviceAccountUser"

Production setup

For a production environment, it’s best to narrow down the scope to follow the principle of least privilege. Here are the permissions you need:

run.jobs.create
run.jobs.update
run.jobs.delete
run.jobs.run
iam.serviceAccounts.actAs

You can make a custom role by following these instructions to first build a YAML defining a role with the permissions you need and then create the role. Then, you can add the custom role to a service account by running:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/your-custom-role-id"

Generating JSON key file

If you need a JSON key to use in your GCP Credentials block, you can generate one by running:

gcloud iam service-accounts keys create my_key.json \
    --iam-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

Topic		Replies	Views
How to get started with Prefect Cloud 2.0 Archive migration-guide , prefect-2-0 , cloud-1-0 , workspace , getting-started , api-key , cloud-2-0 , list-of-resources	0	2086	March 30, 2022
Feedback about getting started with Orion deployments and DockerFlowRunner Archive prefect-2-0 , deployment , getting-started , docker-flow-runner , user-feedback	0	612	March 21, 2022
VertexAI on Prefect 2 Help prefect-2-0 , marvin	8	1024	February 17, 2023
Can I run a flow once but start it in the future? Help prefect-2-0	2	491	January 24, 2023
How to run a Prefect 2 worker as a systemd service on Linux Show and Tell agent , vm , linux , marvin , worker	11	7024	June 9, 2024

How to Create a GCP Service Account to Run Prefect Flows

GCP Portal (UI)

gcloud CLI

Production setup

Generating JSON key file

Related Topics

`gcloud` CLI