Roles and permissions for Cloud Run

This document shows you how to set Identity and Access Management (IAM) roles, permissions, and flags to receive Eventarc events from Google Cloud and third-party sources, and deliver the events to authenticated or unauthenticated Cloud Run target services.

This document shows you how to do the following:

  • Grant specific IAM roles to the user.
  • Grant specific roles and permissions to the trigger's service account. Eventarc uses a customer-provided service account as the identity of the trigger.
  • If you enabled the Pub/Sub service account on or before April 8, 2021, grant the iam.serviceAccountTokenCreator role to the Pub/Sub service account.
  • If you choose to use the Google Cloud CLI, set the Cloud Run flag appropriately when you deploy container images or revisions from a source repository to Cloud Run.

For more information about access control options in Eventarc, see Access control.

Eventarc event types and roles

Eventarc supports triggers for the following event types:

  • Cloud Audit Logs events: Eventarc receives events from Google Cloud sources using Cloud Audit Logs.
  • Direct events: Eventarc receives direct events, such as an update to a Cloud Storage bucket, from Google Cloud sources.
  • Cloud Pub/Sub events: Eventarc receives events from third-party sources using Pub/Sub notifications.

Authenticated invocations of Cloud Run

Depending on the event type, grant the appropriate IAM roles, permissions, and flags for an authenticated Cloud Run target service:

Cloud Audit Logs

To ensure that you receive events from Google Cloud sources, while delivering to an authenticated Cloud Run target:

User roles

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=PRINCIPAL \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com


Grant the Service Account role (roles/iam.serviceAccountUser) to the user:

gcloud iam service-accounts add-iam-policy-binding \
 SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
   --member=PRINCIPAL \
   --role='roles/iam.serviceAccountUser'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE_ACCOUNT_ID: the service account ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Trigger service account roles

Grant the Cloud Run Invoker role (roles/run.invoker) to the service account of the trigger:

gcloud run services add-iam-policy-binding SERVICE_NAME \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/run.invoker'

Replace the following values:

  • SERVICE_NAME: name of the service that should be invoked by this trigger.
  • SERVICE_ACCOUNT_USER_EMAIL: the email address for the service account.

Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account of the trigger:

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/eventarc.eventReceiver'

Replace SERVICE_ACCOUNT_USER_EMAIL with the email address for the service account.

Pub/Sub service account role

The Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the authenticated Cloud Run target using the following command:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME

Replace the following values:

  • SERVICE_ACCOUNT_ID: the service account ID.
  • SERVICE_NAME: the Cloud Run service name.

Direct events

To ensure that you receive events directly from the source, such as an update to a Cloud Storage bucket, while delivering to an authenticated Cloud Run target:

User roles

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=PRINCIPAL \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com


Grant the Service Account role (roles/iam.serviceAccountUser) to the user:

gcloud iam service-accounts add-iam-policy-binding \
  SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
     --member=PRINCIPAL \
     --role='roles/iam.serviceAccountUser'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE_ACCOUNT_ID: the service account ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Cloud Storage service account role

If you are creating a trigger for a direct event from Cloud Storage, grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the service account of the Cloud Storage:

SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:${SERVICE_ACCOUNT}"
  --role='roles/pubsub.publisher'

Replace PROJECT_ID with the Google Cloud project ID.

Trigger service account roles

Grant the Cloud Run Invoker role (roles/run.invoker) to the service account of the trigger:

gcloud run services add-iam-policy-binding SERVICE_NAME \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/run.invoker'

Replace the following values:

  • SERVICE_NAME: name of the service that should be invoked by this trigger.
  • SERVICE_ACCOUNT_USER_EMAIL: the email address for the service account.

Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account of the trigger:

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/eventarc.eventReceiver'

Replace SERVICE_ACCOUNT_USER_EMAIL with the email address for the service account.

Pub/Sub service account role

The Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the authenticated Cloud Run target using the following command:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME

Replace the following values:

  • SERVICE_ACCOUNT_ID with the service account ID.
  • SERVICE_NAME: Cloud Run service name.

Pub/Sub topic

To ensure that you receive events from third-party sources, while delivering to an authenticated Cloud Run target:

User roles

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=PRINCIPAL \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com


Grant the Service Account role (roles/iam.serviceAccountUser) to the user:

gcloud iam service-accounts add-iam-policy-binding \
  SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
     --member=PRINCIPAL \
     --role='roles/iam.serviceAccountUser'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE_ACCOUNT_ID: the service account ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Trigger service account roles

Grant the Cloud Run Invoker role (roles/run.invoker) to the service account of the trigger:

gcloud run services add-iam-policy-binding SERVICE_NAME \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/run.invoker'

Replace the following values:

  • SERVICE_NAME: name of the service that should be invoked by this trigger.
  • SERVICE_ACCOUNT_USER_EMAIL: the email address for the service account.

Pub/Sub service account role

The Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the authenticated Cloud Run target using the following command:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME

Replace the following values:

  • SERVICE_ACCOUNT_ID: the service account ID.
  • SERVICE_NAME: the Cloud Run service name.

Unauthenticated invocations of Cloud Run

Depending on the event type, grant the appropriate IAM roles, permissions, and flags for an unauthenticated Cloud Run target service:

Cloud Audit Logs

To ensure that you receive events from Google Cloud sources, while delivering to an unauthenticated Cloud Run target:

User roles

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=PRINCIPAL \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com


Grant the Service Account role (roles/iam.serviceAccountUser) to the user:

gcloud iam service-accounts add-iam-policy-binding \
  SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
    --member=PRINCIPAL \
    --role='roles/iam.serviceAccountUser'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE_ACCOUNT_ID: the service account ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Trigger service account roles

Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account of the trigger:

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/eventarc.eventReceiver'

Replace SERVICE_ACCOUNT_USER_EMAIL with the email address for the service account.

Pub/Sub service account role

The Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the unauthenticated Cloud Run target using the following command:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME \
  --allow-unauthenticated

Replace the following values:

  • SERVICE_ACCOUNT_ID: the service account ID.
  • SERVICE_NAME: the Cloud Run service name.

Direct events

To ensure that you receive events directly from the source, such as an update to a Cloud Storage bucket, while delivering to an unauthenticated Cloud Run target:

User roles

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=PRINCIPAL \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com


Grant the Service Account role (roles/iam.serviceAccountUser) to the user:

gcloud iam service-accounts add-iam-policy-binding \
  SERVICE_ACCOUNT_ID@PROJECT_ID.iam.gserviceaccount.com \
    --member=PRINCIPAL \
    --role='roles/iam.serviceAccountUser'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • SERVICE_ACCOUNT_ID: the service account ID.
  • PRINCIPAL: The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Cloud Storage service account role

If you are creating a trigger for a direct event from Cloud Storage, grant the Pub/Sub Publisher role (roles/pubsub.publisher) to the service account of the Cloud Storage:

SERVICE_ACCOUNT="$(gsutil kms serviceaccount -p PROJECT_ID)"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:${SERVICE_ACCOUNT}"
  --role='roles/pubsub.publisher'

Replace PROJECT_ID with the Google Cloud project ID.

Trigger service account roles

Grant the Eventarc Event Receiver role (roles/eventarc.eventReceiver) to the service account of the trigger:

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
  --member='serviceAccount:SERVICE_ACCOUNT_USER_EMAIL' \
  --role='roles/eventarc.eventReceiver'

Replace SERVICE_ACCOUNT_USER_EMAIL with the email address for the service account.

Pub/Sub service account role

The Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the unauthenticated Cloud Run target using the following command:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME \
  --allow-unauthenticated

Replace the following values:

  • SERVICE_ACCOUNT_ID: the service account ID.
  • SERVICE_NAME: the Cloud Run service name.

Pub/Sub topic

To ensure that you receive events from third-party sources, while delivering to an unauthenticated Cloud Run target:

User roles

Grant the Eventarc Admin role (roles/eventarc.admin) to the user:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=PRINCIPAL \
  --role='roles/eventarc.admin'

Replace the following values:

  • PROJECT_ID: the Google Cloud project ID.
  • USER_EMAIL: the email address for the user.

    Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com

Trigger service account roles

N/A

Pub/Sub service account role

The Service Account Token Creator role (roles/iam.serviceAccountTokenCreator) role is granted by default to the Pub/Sub service account.

Important: If you enabled the Pub/Sub service account on or before April 8, 2021, grant the following role to the Pub/Sub service account per project.

export PROJECT_NUMBER="$(gcloud projects describe $(gcloud config get-value project) --format='value(projectNumber)')"

gcloud projects add-iam-policy-binding $(gcloud config get-value project) \
    --member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-pubsub.iam.gserviceaccount.com" \
    --role='roles/iam.serviceAccountTokenCreator'

Cloud Run flag

Deploy the event receiver service to the unauthenticated Cloud Run target using the following command:

gcloud run deploy SERVICE_ACCOUNT_ID \
  --image gcr.io/$(gcloud config get-value project)/SERVICE_NAME \
  --allow-unauthenticated

Replace the following values:

  • SERVICE_ACCOUNT_ID: the service account ID.
  • SERVICE_NAME: the Cloud Run service name.