How to Create a GCP Service Account to Run Prefect Flows

Google Cloud Run jobs are a great way to run serverless Prefect flows, but setting up a service account with the right permissions can be tricky.

A service account that works with the Prefect’s Cloud Run Job infrastructure block needs two roles:

  • Cloud Run Admin
  • Service Account User

You can create an account with these roles via the GCP portal or the gcloud CLI.

GCP Portal (UI)

After creating a project, go to the project dashboard and click IAM & Admin > Service accounts > Create service account. Then, add both roles when creating the service account:

gcloud CLI

Here is how you can accomplish the same with the gcloud CLI.

First, create the service account by running the command with your own values instead of placeholders:

gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
    --description="DESCRIPTION" \
    --display-name="DISPLAY_NAME"

Then, add the first role:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/run.admin"

If you don’t know your project’s ID, you can find it on the project’s main dashboard page in the GCP portal.

Now, add the second role:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.serviceAccountUser"

Production setup

For a production environment, it’s best to narrow down the scope to follow the principle of least privilege. Here are the permissions you need:

  • run.jobs.create
  • run.jobs.update
  • run.jobs.delete
  • run.jobs.run
  • iam.serviceAccounts.actAs

You can make a custom role by following these instructions to first build a YAML defining a role with the permissions you need and then create the role. Then, you can add the custom role to a service account by running:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/your-custom-role-id"

Generating JSON key file

If you need a JSON key to use in your GCP Credentials block, you can generate one by running:

gcloud iam service-accounts keys create my_key.json \
    --iam-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
1 Like