TL;DR
The "execute jobs on schedule" Cloud Run example creates permissions that are not needed, and binds project-level permissions where job-level binding would do.
Expected behavior
The example demonstrates the minimum permissions required to achieve the goal.
Observed behavior
It is unclear to the reader which permissions are required, or what they are used for.
Terraform Configuration
resource "google_cloud_run_v2_job_iam_binding" "run_invoker_binding" {
project = google_cloud_run_v2_job.default.project
location = google_cloud_run_v2_job.default.location
name = google_cloud_run_v2_job.default.name
role = "roles/run.invoker"
members = ["serviceAccount:${google_service_account.cloud_run_invoker_sa.email}"]
}Terraform Version
❯ terraform version
Terraform v1.5.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v4.80.0
+ provider registry.terraform.io/hashicorp/google-beta v4.80.0
Additional information
I also needed roles/iam.serviceAccountUser for the account that actually applies the Terraform, but all examples seem to imply owner permissions on the project, so it does not need to be included in the example.
TL;DR
The "execute jobs on schedule" Cloud Run example creates permissions that are not needed, and binds project-level permissions where job-level binding would do.
Expected behavior
The example demonstrates the minimum permissions required to achieve the goal.
Observed behavior
It is unclear to the reader which permissions are required, or what they are used for.
Terraform Configuration
Terraform Version
Additional information
I also needed
roles/iam.serviceAccountUserfor the account that actually applies the Terraform, but all examples seem to imply owner permissions on the project, so it does not need to be included in the example.