hosting-cli(gcp): add --service-account flag#6556
Conversation
Forward the new CLOUD_RUN_SERVICE_ACCOUNT env var to the deploy script
so the Cloud Run service can run as a user-specified IAM SA instead of
the project's default compute SA (broad permissions; a known security
antipattern for production workloads).
Flag is optional. When unset, the key is omitted from env_overrides
entirely — the deploy script defaults it to empty, and the bash
${VAR:+...} expansion drops `--service-account` from `gcloud run
deploy`, preserving today's behavior.
Caveat surfaced in --help: the deploying principal needs
roles/iam.serviceAccountUser on the target SA, or gcloud will 403.
Requires the matching backend change in flexgen so the deploy script
honors CLOUD_RUN_SERVICE_ACCOUNT.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Greptile SummaryThis PR adds a
Confidence Score: 4/5Safe to merge on the CLI side; the only behavioral edge case is silent no-op for an empty-string argument, which would confuse users but cause no data loss. The implementation is small, additive, and well-tested. The single concern is that packages/reflex-hosting-cli/src/reflex_cli/v2/gcp.py — specifically the conditional guard around service_account injection Important Files Changed
Reviews (1): Last reviewed commit: "hosting-cli(gcp): add --service-account ..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| if service_account: | ||
| deploy_env[ENV_SERVICE_ACCOUNT] = service_account |
There was a problem hiding this comment.
--service-account "" (an explicit empty string), the falsy check silently skips the injection and falls back to the default compute SA with no warning. The user gets no indication their flag was ignored. Using is not None is more precise here — it fires only for the truly-absent case and preserves the semantics of an explicit (even if invalid) user input triggering either a forward or an early error.
| if service_account: | |
| deploy_env[ENV_SERVICE_ACCOUNT] = service_account | |
| if service_account is not None: | |
| if not service_account: | |
| console.error("--service-account cannot be an empty string.") | |
| raise click.exceptions.Exit(2) | |
| deploy_env[ENV_SERVICE_ACCOUNT] = service_account |
There was a problem hiding this comment.
for this one, i agree. a common case would be passing --service-account "$MY_SERVICE_ACCOUNT" in some CI job, and not realizing that the CI environment isn't defining MY_SERVICE_ACCOUNT`, so it's getting passed as empty string and resolving to the original behavior, despite user intent.
2 participants
Summary
--service-accounttoreflex deploy --gcp. When set, the value is forwarded asCLOUD_RUN_SERVICE_ACCOUNTenv var to the deploy script, which appends--service-account=<value>togcloud run deploy.--service-accountis omitted, the env var is not included inenv_overridesand the deploy script falls back to the existing default-compute-SA behavior — fully backwards compatible.--helpcalls out that the deploying principal needsroles/iam.serviceAccountUseron the target SA, since the gcloud 403 otherwise is cryptic.Requires the matching backend change so the deploy script honors
CLOUD_RUN_SERVICE_ACCOUNT: reflex-dev/flexgen#3746Test plan
🤖 Generated with Claude Code