I have created a CloudRun service. It is exposed by an endpoint as expected which I can invoke externally.
Wanting to protect it, I need to provision for only Internal connectivity.
The endpoint is to be invoked by pods running on GKE cluster.
In order to provision only for internal connectivity, you need to set up the appropriate IAM configuration.
My question is to whom do I have to assign the appropriate ServiceAccount? (which has been granted the appropriate roles)?
To the cluster itself, or say the VMs running the k8s nodes?
You can use service accounts at the cluster, node and pod level. I would use Kubernetes Secrets (for granular control) or the cluster default service account for authorization to Cloud Run (simplest).
Unless you have changed the cluster configuration there is already a Compute Engine Default Service Account assigned to your cluster. You can use this service account with no additional changes to provide the identity for access to Cloud Run.
The service account does not require any roles. Grant the IAM role roles/run.invoker
when you add the IAM member to Cloud Run.
To access Cloud Run protected by IAP, you need to add an HTTP Header "authorization: bearer TOKEN". The token is an Identity Token. Your code/program must add this header as Kubernetes does not do this on your behalf.
You can request an Identity Token from the node's metadata server. This metadata server provides an Identity Token with the service account's identity. Enter the email address of the service account as the Member ID for Cloud Run.