Hi all I am trying to use prefect gcp for Google Cloud Run b Prefect Community #prefect-gcp

Hi all, I am trying to use prefect-gcp for Google ...

Eric Ma

04/07/2023, 5:57 AM

Hi all, I am trying to use prefect-gcp for Google Cloud Run, but when the cloud run job is created, it is using a different service account than the gcpcredential json that I provided. Since the library is not specifying the

serviceAccountName

in the YAML creation, it is defaulting to a generic read-only Compute Engine service account. Do you have any solution on how I can set the default serviceAccountName to use the same service account that is provided in GCP Credential Block? Thank you in advance for any help here https://cloud.google.com/run/docs/securing/service-identity#gcloud

Copy code

By default, Cloud Run revisions and jobs execute as the Compute Engine default service account. The Compute Engine default service account has the Project Editor IAM role which grants read and write permissions on all resources in your Google Cloud project.

💡 2

✅ 1

Eric Ma

04/07/2023, 1:38 PM

This screenshot is the setting that I am referring to. Right now it is a default account. However, I don't see an option to set it based on the GCP credential secret. (i.e. this should be the the

client_email

key of the credential dict)

Copy code

service_account_info = {
                    "type": "service_account",
                    "project_id": "project_id",
                    "private_key_id": "private_key_id",
                    "private_key": "private_key",
                    "client_email": "client_email",
                    "client_id": "client_id",
                    "auth_uri": "auth_uri",
                    "token_uri": "token_uri",
                    "auth_provider_x509_cert_url": "auth_provider_x509_cert_url",
                    "client_x509_cert_url": "client_x509_cert_url"
                }

Owen McMahon

04/07/2023, 8:45 PM

I noticed this as well. Unfortunately, it doesn't appear they've exposed a way to set that value in the

CloudRunJob

Infrastructure Block, so I don't think it is possible to change at the moment. Blocker for us as well in terms of being able to utilize the Infra Block.

Eric Ma

04/07/2023, 8:46 PM

Appreciate the confirmation. I ended up just giving sufficient access to the default service account and it worked smoothly

Jeff Hale

04/10/2023, 2:56 PM

If you wanted to open up an issue for that feature in the prefect_gcp I'm sure it's something the team would take a look at. 🙂

👍 2

Owen McMahon

04/11/2023, 5:58 PM

Thanks @Jeff Hale! I totally would, but unfortunately our organization blocks us from contributing to any external repos, including even submitting GH Issues 😞 (which is very frustrating), so I'm unable to. Would someone on the Prefect side be able to create that Issue for me?

Jeff Hale

04/11/2023, 6:23 PM

Gotcha. On it. Will share link here momentarily.

Jeff Hale

04/11/2023, 6:33 PM

Issue is here: please let me know if you’d like any chagnes.

🙌 1

Owen McMahon

04/11/2023, 6:51 PM

that is perfect - thanks @Jeff Hale!

👍 1

78 Views

Open in Slack

Previous Next