Imagine the following situation:
We have a gcp cloud run backend application running. Authentication is required and the ingress is set to "Internal + Load Balancing". Other services are accessing the application via REST. Each service has it's dedicated service account with the role "roles/run.invoker". The application is hidden behind the load balancer so that we don't have to inject the auto generated "*.run.app" url.
My issue here is that I always have to deploy my backend application first before I can assign the invoker role. I rather would not couple my backend application and other service accounts so tightly. Is there a better way without for example granting the invoker permission for example to allAuthenticatedUsers.