Cyscale
Back to controls

Ensure Cloud Run revisions are not configured to use the default service account

Cloud Run revisions should use a dedicated runtime service account rather than the default Compute Engine service account. Default service accounts are often granted broad permissions over time and are shared by many workloads, which increases blast radius if a service is compromised.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

Cloud Run revisions should use a dedicated runtime service account rather than the default Compute Engine service account. Default service accounts are often granted broad permissions over time and are shared by many workloads, which increases blast radius if a service is compromised.

A dedicated service account makes the workload identity explicit and allows least-privilege IAM roles to be reviewed, monitored, and rotated independently of other services.

Remediation guidance

Remediation

Assign a dedicated service account to the Cloud Run service and grant only the roles needed by that service. Updating the service creates a new revision; route traffic only after validation.

Google Cloud CLI

Create a dedicated service account if one does not already exist. Replace {{manual.serviceAccountId}} and {{manual.displayName}} with your approved naming convention.

gcloud iam service-accounts create {{manual.serviceAccountId}} \
  --project {{asset.cloudAccountID}} \
  --display-name "{{manual.displayName}}"

Update the Cloud Run service to use the dedicated service account. Replace {{manual.serviceAccountEmail}} with the service account email.

gcloud run services update {{asset.name}} \
  --project {{asset.cloudAccountID}} \
  --region {{asset.region}} \
  --service-account {{manual.serviceAccountEmail}}

Validate the configured service account:

gcloud run services describe {{asset.name}} \
  --project {{asset.cloudAccountID}} \
  --region {{asset.region}} \
  --format 'value(spec.template.spec.serviceAccountName)'

Rollout guidance

  1. Inventory the permissions the service actually needs from logs, code, and API calls.
  2. Grant narrowly scoped roles to the dedicated service account at the smallest feasible resource scope.
  3. Deploy a new revision and monitor errors before shifting all traffic.
  4. Remove unused broad roles from the default service account once dependent workloads have migrated.

References

  • https://cloud.google.com/run/docs/configuring/services/service-identity
  • https://cloud.google.com/sdk/gcloud/reference/run/services/update

Query logic

These are the stored checks tied to this control.

Cloud Run revisions using the default service account

Connectors

Google Cloud

Covered asset types

CloudRunRevision

Expected check: eq []

{
  cloudRunRevisions(
    where: {
      serviceAccountEmail_MATCHES: ".*compute@developer\\.gserviceaccount\\.com$"
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon