DEV Community

Cover image for The Hidden Gotchas When Running a Dockerized .NET App on Google Cloud Run
Avwerosuoghene Darhare-Igben
Avwerosuoghene Darhare-Igben

Posted on

The Hidden Gotchas When Running a Dockerized .NET App on Google Cloud Run

#devops #google #docker #dotnet

Deploying a Dockerized .NET app to Cloud Run looks simple on paper: build an image, push to Artifact Registry, and deploy. But once your app starts interacting with services like Google Cloud Storage (GCS), subtle issues start showing up.

In this post, I’ll share the hidden gotchas I discovered while debugging a real-world .NET Cloud Run deployment and how to fix them.

Gotcha 1 — Application Default Credentials (ADC) Don’t Just Work in Containers

The problem:

You might hit this error: “Your default credentials were not found. To set up Application Default Credentials”

Why it happens:

Locally, gcloud auth application default login saves credentials in your user directory. But Cloud Run runs your container in a sandbox, no user directory, no local credentials.

The fix:

  • Assign a Service Account to your Cloud Run service.
  • Give it the Storage Object Admin role.
  • Cloud Run automatically uses that service account for ADC.

Once that’s done, calls like GoogleCredential.GetApplicationDefault() work seamlessly.

Gotcha 2 — Verifying the Service Account Used by Cloud Run

The problem:

Developers often assume Cloud Run uses their own credentials. It doesn’t.

The fix:

  • In the Google Cloud Console, go to Cloud Run → your service → Security tab.
  • Look for Service account that’s what your app runs as.

Gotcha 3 — Generating Signed URLs for Private Buckets

Scenario:
Your app uploads files to GCS, and you need signed URLs so your frontend can access them securely.

The problem:

Signed URLs that work locally may fail on Cloud Run because your service account lacks signBlob permission.

The fix:

  • Add the Service Account Token Creator role.
  • Use: var signer = UrlSigner.FromCredential(GoogleCredential.GetApplicationDefault()); This ensures your signed URLs are generated correctly in production.

Gotcha 4 — Public vs Private Buckets

The problem:

Locally, you might test with a public bucket. But in production, GCS buckets are private by default.

Accessing an uploaded file directly shows this message: “This XML file does not appear to have any style information”. That’s GCS politely saying “Access Denied.”

The fix:

  • Make the bucket public. Works for testing but not recommended for production.
  • Use signed URLs, the secure and scalable approach. Generate time-limited signed URLs that grant temporary access to private objects.

Takeaways

  • Cloud Run does not inherit your local credentials.
  • Always verify which service account your service runs as.
  • Use signed URLs to safely expose private media.
  • Expect differences between local and Cloud Run environments, especially around GCP services.

Top comments (0)