https://prefect.io logo
Title
e

Eric Ma

04/07/2023, 5:57 AM
Hi all, I am trying to use prefect-gcp for Google Cloud Run, but when the cloud run job is created, it is using a different service account than the gcpcredential json that I provided. Since the library is not specifying the
serviceAccountName
in the YAML creation, it is defaulting to a generic read-only Compute Engine service account. Do you have any solution on how I can set the default serviceAccountName to use the same service account that is provided in GCP Credential Block? Thank you in advance for any help here https://cloud.google.com/run/docs/securing/service-identity#gcloud
By default, Cloud Run revisions and jobs execute as the Compute Engine default service account. The Compute Engine default service account has the Project Editor IAM role which grants read and write permissions on all resources in your Google Cloud project.
💡 2
1
This screenshot is the setting that I am referring to. Right now it is a default account. However, I don't see an option to set it based on the GCP credential secret. (i.e. this should be the the
client_email
key of the credential dict)
service_account_info = {
                    "type": "service_account",
                    "project_id": "project_id",
                    "private_key_id": "private_key_id",
                    "private_key": "private_key",
                    "client_email": "client_email",
                    "client_id": "client_id",
                    "auth_uri": "auth_uri",
                    "token_uri": "token_uri",
                    "auth_provider_x509_cert_url": "auth_provider_x509_cert_url",
                    "client_x509_cert_url": "client_x509_cert_url"
                }
o

Owen McMahon

04/07/2023, 8:45 PM
I noticed this as well. Unfortunately, it doesn't appear they've exposed a way to set that value in the
CloudRunJob
Infrastructure Block, so I don't think it is possible to change at the moment. Blocker for us as well in terms of being able to utilize the Infra Block.
e

Eric Ma

04/07/2023, 8:46 PM
Appreciate the confirmation. I ended up just giving sufficient access to the default service account and it worked smoothly
j

Jeff Hale

04/10/2023, 2:56 PM
If you wanted to open up an issue for that feature in the prefect_gcp I'm sure it's something the team would take a look at. 🙂
👍 2
o

Owen McMahon

04/11/2023, 5:58 PM
Thanks @Jeff Hale! I totally would, but unfortunately our organization blocks us from contributing to any external repos, including even submitting GH Issues 😞 (which is very frustrating), so I'm unable to. Would someone on the Prefect side be able to create that Issue for me?
j

Jeff Hale

04/11/2023, 6:23 PM
Gotcha. On it. Will share link here momentarily.
Issue is here: please let me know if you’d like any chagnes.
🙌 1
o

Owen McMahon

04/11/2023, 6:51 PM
that is perfect - thanks @Jeff Hale!
👍 1