0

I have created a job named "my-job" on GCP Cloud Run Jobs. I want to grant principal A the Cloud Run Admin role and use an IAM condition to allow them to execute only "my-job".

I initially thought that using the condition(CEL) resource.name.endsWith("my-job") would work well. However, it appears that resource.name is not supported for Cloud Run. (https://cloud.google.com/iam/docs/conditions-attribute-reference#resource-name)

Is there any alternative way to filter and allow execution based on the job name?

akiraueno
  • 57
  • 4
  • 1
    Why do you want to set ADMIN a principal and restrict the execution to only 1 job? What the purpose of the admin role? Create and delete service/revision? – guillaume blaquiere Apr 14 '23 at 18:35
  • The purpose of this job is to execute E2E tests specifically for our customers. As the testing destination changes depending on the customer, our goal is to allocate one job per customer. To achieve this, I would like to set the customer's email address as the principal. In response to your question, the reason for assigning the ADMIN role is to enable job execution, not to grant permissions for creating or deleting service/revision. – akiraueno Apr 15 '23 at 02:11
  • 1
    Grant the credential only at the service level and not at the project level, and like that the grant is only for the service! – guillaume blaquiere Apr 15 '23 at 20:48

0 Answers0