Skip to main content



Cloud Run is in Alpha, which means APIs may change in any version and documentation is not yet finished. See the changelog to stay up to date with breaking changes.

This document describes the necessary permissions for Remotion Cloud Run and explains to those interested why the permissions are necessary.

For a step by step guide on how to set up permissions, follow the setup guide.

Service Account permissions

This policy should be assigned to the Remotion Service Account. Following the automated setup, this is achieved by creating a custom role with the title Remotion API Service Account, and assigning that role to the Remotion Service Account.

To view and manually edit roles in your GCP project, go to the Roles page within IAM admin.

To view and manually edit permissions/roles assigned to Users or Service Accounts in your GCP project, go to the IAM page within IAM Admin.

Show full Remotion API Service Account permissions list for the latest Remotion Cloud Run version.

You can always get the suitable permission file for your Remotion Cloud Run version by typing npx remotion cloudrun permissions.

The following table is a breakdown of why Remotion Cloud Run requires the permissions it does.

iam.serviceAccounts.actAsWhen deploying, act as the default service account, which will grant further permissions required during deployment.
run.operations.getRequired during deployment to confirm that deployment was successful.
run.routes.invokeInvoke the deployed Cloud Run services to perform a render. new, and edit existing, Cloud Run services. a list of existing Cloud Run services, to ensure no unintended overwriting. a Cloud Run service, for example providing it with more memory or CPU.
storage.buckets.createCreate the storage bucket to store the bundled site and render output.
storage.buckets.listGet a list of existing Cloud Storage resources, to ensure no unintended overwriting of storage buckets.
storage.objects.createCreate new objects in storage. This could be bundled sites, or renders, or logs.
logging.logEntries.listUsed by the CLI to fetch recent logs if the Cloud Run service crashes, to assist in debugging the root cause.


There are two ways in which you can test if the permissions for the service account have been correctly set up. Either you execute the following command:

npx remotion cloudrun permissions
npx remotion cloudrun permissions

or if you want to validate it programmatically, using the testPermissions() function.

See also