Service account config for Cloud Run service which can generate signed GCS upload URLs.

python-gcs-signed-urls-service-account.tf

resource "google_storage_bucket_iam_member" "bucket_admin" {
  bucket = google_storage_bucket.my_bucket.name
  role   = "roles/storage.admin"  # this includes the `roles/storage.objectCreator` role
  member = "serviceAccount:${google_service_account.my_service_account.email}"
}

resource "google_project_iam_member" "token_creator" {
  project = "my-gcp-project"
  role    = "roles/iam.serviceAccountTokenCreator"
  member  = "serviceAccount:${google_service_account.my_service_account.email}"
}