A developer needs to deploy a Cloud Run service from a container image in Artifact Registry. What IAM role should be granted to the Cloud Run service account?
Required to read container images from Artifact Registry.
Why this answer
The Cloud Run service account needs permission to read the container image from Artifact Registry during deployment. The `roles/artifactregistry.reader` role grants the `artifactregistry.repositories.downloadArtifacts` permission, which is required to pull the image. Without this role, the deployment fails with an access denied error.
Exam trap
The PCD exam often tests the distinction between roles that grant access to the container image (Artifact Registry reader) versus roles that grant access to the running service (Cloud Run invoker), causing candidates to confuse deployment-time permissions with runtime permissions.
How to eliminate wrong answers
Option A is wrong because `roles/storage.objectViewer` grants read access to Cloud Storage buckets, not Artifact Registry repositories; Cloud Run does not pull container images from Cloud Storage. Option B is wrong because `roles/cloudbuild.builds.builder` is used for Cloud Build service accounts to execute builds, not for Cloud Run service accounts to pull images from Artifact Registry. Option D is wrong because `roles/run.invoker` only allows invoking the Cloud Run service (i.e., sending HTTP requests), not reading container images from Artifact Registry.