How to Create a GCP Service Account to Run Prefect Flows

Google Cloud Run jobs are a great way to run serverless Prefect flows, but setting up a service account with the right permissions can be tricky.

A service account that works with the Prefect’s Cloud Run Job infrastructure block needs two roles:

  • Cloud Run Admin
  • Service Account User

You can create an account with these roles via the GCP portal or the gcloud CLI.

GCP Portal (UI)

After creating a project, go to the project dashboard and click IAM & Admin > Service accounts > Create service account. Then, add both roles when creating the service account:

gcloud CLI

Here is how you can accomplish the same with the gcloud CLI.

First, create the service account by running the command with your own values instead of placeholders:

gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
    --description="DESCRIPTION" \

Then, add the first role:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="" \

If you don’t know your project’s ID, you can find it on the project’s main dashboard page in the GCP portal.

Now, add the second role:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="" \

Production setup

For a production environment, it’s best to narrow down the scope to follow the principle of least privilege. Here are the permissions you need:

  • iam.serviceAccounts.actAs

You can make a custom role by following these instructions to first build a YAML defining a role with the permissions you need and then create the role. Then, you can add the custom role to a service account by running:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="" \

Generating JSON key file

If you need a JSON key to use in your GCP Credentials block, you can generate one by running:

gcloud iam service-accounts keys create my_key.json \
1 Like