[how-to-deploy-a-secure-mcp-server-on-cloud-run]: Service Account for cloud build

Open volkdir opened this issue 3 months ago • 0 comments

Hi, I don't know if this is maybe an issue of our sandbox project, but I had to create a dedicated service account for the cloud run deploy. Otherwise it tried to use the default compute engine, that hadn't enough permissions:

export MCP_SA_NAME=MCP_SA
gcloud iam service-accounts create "$MCP_SA_NAME" \
    --display-name="$MCP_SA_NAME" \
    --project "$PROJECT_ID`
export MCP_SA_EMAIL="${MCP_SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
    --member="serviceAccount:$MCP_SA_EMAIL" \
    --role="roles/artifactregistry.writer" \
    --project "$PROJECT_ID"
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
    --member="serviceAccount:$MCP_SA_EMAIL" \
    --role="roles/logging.logWriter" \
    --project "$PROJECT_ID"
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
    --member="serviceAccount:$MCP_SA_EMAIL" \
    --role="roles/storage.objectViewer" \
    --project "$PROJECT_ID"

# calling the cloud deploy with the sa
gcloud run deploy zoo-mcp-server     --no-allow-unauthenticated --build-service-account=projects/$PROJECT_ID/serviceAccounts/$MCP_SA_EMAIL  --region=europe-west1     --source=.     --labels=dev-tutorial=codelab-mcp

Sep 26 '25 13:09 volkdir