Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to create and run a Batch job as a
non-root user.
By default, Batch executes runnables as the root user.
If you want Batch to execute runnables as a
non-root user—for example, to run an application that doesn't
allow root users or to meet security requirements—create a
Batch job that uses OS Login. When
you enable OS Login in a Batch job, OS Login configures a user
account for you on the VMs that your job runs on. All runnables in the job are
then executed by your user account on the VM instead of by the root user.
If you are from a different organization than the project:
Compute OS Login External User (roles/compute.osLoginExternalUser)
on the project's organization
Create a Batch job that runs executables through your own user
account by doing the following:
Use the Google Cloud CLI or REST API to
create a job that
includes the
runAsNonRoot field
set to true in the main body of the JSON file:
"runAsNonRoot":true
For example, a job that runs executables as a non-root user would have a JSON
configuration file similar to the following:
{"taskGroups":[{"taskSpec":{"runnables":[{"script":{"text":"echo Hello World! This is task $BATCH_TASK_INDEX executed by $(whoami)."}}]},"taskCount":3,"runAsNonRoot":true}],"logsPolicy":{"destination":"CLOUD_LOGGING"}}
What's next
If you have issues creating or running a job, see Troubleshooting.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eBatch jobs typically run as the root user, but they can be configured to run as a non-root user for security or application requirements.\u003c/p\u003e\n"],["\u003cp\u003eTo run a Batch job as a non-root user, enable OS Login and set the \u003ccode\u003erunAsNonRoot\u003c/code\u003e field to \u003ccode\u003etrue\u003c/code\u003e when creating the job.\u003c/p\u003e\n"],["\u003cp\u003eSpecific IAM roles, such as Batch Job Editor, Service Account User, and Compute OS Login, are required to create and run jobs as a non-root user.\u003c/p\u003e\n"],["\u003cp\u003eEnabling OS Login configures a user account on the VMs, allowing all runnables in the Batch job to be executed by this user instead of root.\u003c/p\u003e\n"]]],[],null,["# Create and run jobs as a non-root user\n\nThis document describes how to create and run a Batch job as a\nnon-root user.\n\nBy default, Batch executes runnables as the root user.\nIf you want Batch to execute runnables as a\nnon-root user---for example, to run an application that doesn't\nallow root users or to meet security requirements---create a\nBatch job that uses [OS Login](/compute/docs/oslogin). When\nyou enable OS Login in a Batch job, OS Login configures a user\naccount for you on the VMs that your job runs on. All runnables in the job are\nthen executed by your user account on the VM instead of by the root user.\n\nBefore you begin\n----------------\n\n1. If you haven't used Batch before, review [Get started with Batch](/batch/docs/get-started) and enable Batch by completing the [prerequisites for projects and users](/batch/docs/get-started#prerequisites).\n2. If you haven't done so already, enable the\n [OS Login API](/compute/docs/oslogin/rest) by running the following\n command:\n\n ```\n gcloud services enable oslogin.googleapis.com\n ```\n3.\n\n To get the permissions that\n you need to create and run a job as a non-root user,\n\n ask your administrator to grant you the\n following IAM roles:\n\n - [Batch Job Editor](/iam/docs/roles-permissions/batch#batch.jobsEditor) (`roles/batch.jobsEditor`) on the project\n - [Service Account User](/iam/docs/roles-permissions/iam#iam.serviceAccountUser) (`roles/iam.serviceAccountUser`) on the [job's service account](/batch/docs/create-run-job-custom-service-account#create-job-service-account), which by default is the default Compute Engine service account\n - [Compute OS Login](/iam/docs/understanding-roles#compute.osLogin) (`roles/compute.osLogin`) or [Compute OS Admin Login](/iam/docs/understanding-roles#compute.osAdminLogin) (`roles/compute.osAdminLogin`) on the project\n - If you are from a different organization than the project: [Compute OS Login External User](/iam/docs/roles-permissions/compute#compute.osLoginExternalUser) (`roles/compute.osLoginExternalUser`) on the project's organization\n\n\n For more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\n You might also be able to get\n the required permissions through [custom\n roles](/iam/docs/creating-custom-roles) or other [predefined\n roles](/iam/docs/roles-overview#predefined).\n | **Note:** Users with the Compute OS Admin Login role have sudo permissions, but Batch doesn't execute jobs using those permissions.\n\n\u003cbr /\u003e\n\nCreate a job that runs as a non-root user\n-----------------------------------------\n\nCreate a Batch job that runs executables through your own user\naccount by doing the following:\n\nUse the Google Cloud CLI or REST API to\n[create a job](/batch/docs/create-run-basic-job#create-basic-job) that\nincludes the\n[`runAsNonRoot` field](/batch/docs/reference/rest/v1/projects.locations.jobs#TaskGroup.FIELDS.run_as_non_root)\nset to `true` in the main body of the JSON file: \n\n \"runAsNonRoot\": true\n\nFor example, a job that runs executables as a non-root user would have a JSON\nconfiguration file similar to the following: \n\n {\n \"taskGroups\": [\n {\n \"taskSpec\": {\n \"runnables\": [\n {\n \"script\": {\n \"text\": \"echo Hello World! This is task $BATCH_TASK_INDEX executed by $(whoami).\"\n }\n }\n ]\n },\n \"taskCount\": 3,\n \"runAsNonRoot\": true\n }\n ],\n \"logsPolicy\": {\n \"destination\": \"CLOUD_LOGGING\"\n }\n }\n\nWhat's next\n-----------\n\n- If you have issues creating or running a job, see [Troubleshooting](/batch/docs/troubleshooting).\n- [View jobs and tasks](/batch/docs/view-jobs-tasks).\n- Learn about more [job creation options](/batch/docs/create-run-job#job-creation-options)."]]
