Error AtlasError Documentation and Resolution
Back to search

Cloud Run

Cloud Run service agent does not have permission to get access tokens for the service account

Google Cloud Run Service Agent does not have permission to get access tokens for the service account.

Cloud Run could not create or update the service because its service agent lacks the required permission to mint access tokens for the configured service account.

Google Cloud Run Service Agent does not have permission to get access tokens for the service account.authentication

Observed message

Google Cloud Run Service Agent does not have permission to get access tokens for the service account.

Why it happens

  • The Cloud Run service agent is missing access token creation rights on the selected service account.
  • Cross-project service identity permissions are incomplete.
  • The deployment uses a service account that the Cloud Run service agent cannot impersonate.

How to fix it

  1. Grant the Cloud Run service agent permission to create access tokens for the configured service account.
  2. Check whether the service account is in another project and add the required cross-project permissions.
  3. Verify that the deployment is referencing the intended service account.

Official reference

Google Cloud: Troubleshoot Cloud Run issues

Related errors

The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header.Cloud Run request was not authenticated403 ForbiddenCloud Run returned 403 ForbiddenPermission 'storage.objects.create' deniedCloud Run source deployment failed because storage.objects.create was deniedContainer failed to start. Failed to start and then listen on the port defined by the PORT environment variable.Cloud Run container failed to start and listen on the configured port

Explore more

authenticationBrowse more authentication errors
Cloud Run Service Agent does not have permission to get access tokens: causes and fixes | Error Atlas