Critical Provisioning Failure: Cloud Run Service Agent Not Created

Google Cloud Serverless Applications
,
1

Project ID: (PII Removed by Staff)

Problem Description:
I am experiencing a critical infrastructure issue where the default Google-managed Cloud Run Service Agent (service-<PROJECT_NUMBER> at gcp-sa-run.iam.gserviceaccount.com) is not being created for my project. This is preventing me from deploying any Cloud Run service that requires a Serverless VPC Connector.

Key Information:

  • Using the Resource Manager getAncestry API, we have programmatically confirmed this is a standalone project with no parent Organization. The issue is therefore not related to an Organization Policy.
  • The Serverless VPC Connector (flipps-walkthrough) is healthy and in the READY state.
  • The Serverless VPC Access API (vpcaccess.googleapis.com) is enabled.

Chronological Troubleshooting Steps Performed:

  1. Initial Deployment Failure: The initial gcloud run deploy command with the --vpc-connector flag failed. The container did not start, and logs were empty.
  2. Simplified Deployment Success: We successfully deployed a simplified version of the service without the VPC connector. This proves the basic Cloud Run functionality is working.
  3. IAM Verification Failure: Despite the successful deployment, the Cloud Run Service Agent (gcp-sa-run) was still not visible in the IAM console (with “Include Google-provided role grants” checked).
  4. Programmatic Confirmation: We ran gcloud iam service-accounts list and confirmed programmatically that the gcp-sa-run agent does not exist.
  5. Forced IAM Binding Failure: An attempt to force a role binding to the agent’s expected email address failed with INVALID_ARGUMENT: Service account ... does not exist.
  6. API Reset Cycle: We disabled and then re-enabled the Cloud Run API (run.googleapis.com) for the project. This did not trigger the agent’s creation.
  7. Alternate Agent Check: We confirmed that the older, legacy serverless-robot-prod agent also does not exist.

Conclusion:
All standard and advanced troubleshooting steps have failed to provision the necessary Google-managed Cloud Run service agent. This appears to be a persistent, backend provisioning failure specific to this project. Please advise on how to escalate this for manual intervention.