GCP IAM Permissions
Identity and Access Management (IAM) allows you to regulate access to your GCP resources, thus ensuring that only users with the respective permissions have access to your GCP data.
To work with Google Cloud Run jobs, the following IAM permissions must be granted:
| Action Who Performs It Required Roles / Permissions Purpose / Notes | Action Who Performs It Required Roles / Permissions Purpose / Notes | Action Who Performs It Required Roles / Permissions Purpose / Notes | Action Who Performs It Required Roles / Permissions Purpose / Notes |
| Create Service | Deployer (user or SA) | roles/run.admin OR roles/run.developer + roles/iam.serviceAc countUser (on runtime SA) | Allows creating and updating Cloud Run Services and attaching a service account (iam.serviceAccount s.actAs). |
| Attach Runtime Service Account | Same Deployer | iam.serviceAccounts .actAs (permission) Included in roles/iam.serviceAc countUser | Needed to assign the runtime service account to a Service or Job. |
| Create Job | Deployer (user or SA) | roles/run.admin OR roles/run.developer + roles/iam.serviceAc countUser (on runtime SA) | Grants permission to create/update Cloud Run Jobs and link a runtime SA. |
| Run Job (Execute) | Triggering user or automation (SA) | roles/run.invoker (or broader developer/admin) | Authorizes execution of Cloud Run Jobs via :run API or gcloud run jobs execute. |
| View Services/Jobs | Any viewer | roles/run.viewer | Read-only access to Cloud Run resources and executions. |
| Runtime Service Account (Pod) | The SA attached to Service/Job | App-specific roles (e.g., roles/storage.object Admin, roles/bigquery.user, roles/artifactregistr y.reader) | Needed for container image pulls and API calls made by your code at runtime. |
| Public Invocation (Optional) | Anyone (allUsers) | roles/run.invoker (granted to allUsers) | Makes the Service or Job endpoint public (no authentication required). |
Notes:
-
Cloud Run Admin (`roles/run.admin`) grants full control; Developer is slightly restricted.
-
Always grant `roles/iam.serviceAccountUser` on the runtime SA to the deployer identity.
-
Runtime SAs must also have Artifact Registry Reader to pull private images.
-
Public access should only be enabled when security allows.
See also: