Google Cloud Run

Allows running (auto-scaling) containers.

IAM

Identity Access Management.

To grant a Workload Identity Federation pool the right to deploy a new revision you'll need to grant the principal access the th correct resources.

https://github.com/google-github-actions/auth will authenticate as a specific principal using OIDC roles. follow the instructions there to set it up.

after that the https://github.com/google-github-actions/deploy-cloudrun can deploy a new revision, if the permissions are all correct. which they are not.

The error will show the exact principal being used, you'll need this when adding the correct permissions. my example is: principal://iam.googleapis.com/projects/998097406611/locations/global/workloadIdentityPools/github-actions-pool/subject/repo:AllexVeldman/pyoci:environment:pyoci.com

A full list of principal identifiers: https://cloud.google.com/iam/docs/principal-identifiers?authuser=1

The error will also show which permission is missing. Full list of permissions and what predefined roles they belong to: https://cloud.google.com/iam/docs/understanding-roles#predefined

To grant the run.services.get/update permissions, go to the Cloud Run overview page, check the checkbox in front of the servive, click Permissions. Here you can add the role to the principal shown in the error. Cloud Run Developer has the correct permissions to deploy a new revision.

After this point you'll get an error about not being able to iam.serviceAccount.actAs, to grant this to you principle, got to IAM > Service Accounts, click on the service account, PERMISSIONS, Grant Access. Again use the principal from the error and now add the "Service Account User" role.

GitHub reference: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform