Since serviceAccountTokenCreator enables service account impersonation and token minting, I’m curious about more least-privilege alternatives, such as - Using the Custom Cloud Build service account identity directly Relying on Cloud Run IAM invoker bindings (in case of cloud run invocation from cloud buuld Avoiding explicit token creation unless absolutely required When is iam.serviceAccountTokenCreator truly required?

Question

Identity token in cloud build without roles/iam.serviceAccountTokenCreator role to Service account.

Forum|Forum|18 hours ago
February 10, 2026
0 replies
4 views

kishor181
Bronze 1

Since serviceAccountTokenCreator enables service account impersonation and token minting, I’m curious about more least-privilege alternatives, such as -

Using the Custom Cloud Build service account identity directly
Relying on Cloud Run IAM invoker bindings (in case of cloud run invocation from cloud buuld
Avoiding explicit token creation unless absolutely required

When is iam.serviceAccountTokenCreator truly required?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded