In Cloud Run, there are two different sorts of service accounts:
The service account for the Google Cloud Run API
The service account for Runtime.
You refer to the runtime service account, the identity that will be used by the service when it runs and calls Google Cloud API, in your description and screenshot.
The service must first be deployed though, before it can run. This time, an internal Google Cloud Run process was launched to pull the container, produce a revision, and do all necessary internal tasks. A service account called "service agent" also exists to carry out that task.
You may locate it in the IAM console at: The structure is as follows
Don't forget to select Include in the checkbox in the top right corner.
Give the appropriate access to the deployment service account and not the runtime service account if you want it to be able to pull images from another project.