Stay organized with collections
Save and categorize content based on your preferences.
Authenticate for invocation
This document provides supplemental information on how to invoke functions
created using the
Cloud Functions v2 API—for example, using
gcloud functions, the REST API, or Terraform. For detailed information and
examples, see the Cloud Run
Authenticate requests guides. The topics
covered in the Cloud Run guides also apply to functions created using the
Cloud Functions v2 API, since v2 functions also
use the
Cloud Run Invoker role
(roles/run.invoker).
To invoke an authenticated function, the underlying
principal must meet the following requirements:
Have permission to invoke the function.
Provide an ID token when it invokes the function.
Cloud Run functions supports two different kinds of identities, which are also
called principals:
Service accounts: These are special accounts that serve as the identity of a
non-person, like a function or an application or a VM. They give you a way
to authenticate these non-persons.
User accounts: These accounts represent people, either as individual
Google Account holders or as part of a Google-controlled entity like a Google
Group.
See the IAM overview to learn more about
basic IAM concepts.
To invoke an authenticated function, the principal must have the invoker
IAM permission:
run.routes.invoke. This is usually through the
Cloud Run Invoker role. This
permission must be assigned on the Cloud Run service resource.
For permission to create, update, or perform other administrative actions on a
function, the principal must have an appropriate role. Roles include permissions that define the actions that the principal is allowed to do. See
Using IAM to Authorize Access
for more information.
Event-driven functions can only be invoked by the event source that they're
subscribed to. HTTP functions, however, can be invoked by different identity
types originating from different places, such as by a developer testing the
function or by another service using the function. Identities must provide an ID
token for authentication. The account in use must also have the appropriate
permissions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eTo invoke an authenticated Cloud Run function, the principal must have the \u003ccode\u003erun.routes.invoke\u003c/code\u003e permission, typically through the Cloud Run Invoker role, and provide an ID token.\u003c/p\u003e\n"],["\u003cp\u003ePrincipals can be service accounts (for non-persons like functions or applications) or user accounts (for individual Google Account holders or groups), both requiring appropriate permissions to invoke functions.\u003c/p\u003e\n"],["\u003cp\u003eDevelopers can test functions by assigning the Cloud Run Invoker role to their user account, using the Google Cloud CLI to generate ID tokens for requests, and allocating the minimum required permissions to operate.\u003c/p\u003e\n"],["\u003cp\u003eFor function-to-function calls, grant the calling function's service account the Cloud Run Invoker role on the receiving function's service, ensuring the calling function provides a Google-signed ID token.\u003c/p\u003e\n"],["\u003cp\u003eID tokens can be generated programmatically using authentication libraries or manually by using the Compute metadata server or exchanging a self-signed JWT for a Google-signed ID token, with the latter two methods being more complex.\u003c/p\u003e\n"]]],[],null,["# Authenticate for invocation\n===========================\n\nThis document provides supplemental information on how to invoke functions\ncreated using the\n[Cloud Functions v2 API](/functions/docs/apis)---for example, using\n`gcloud functions`, the REST API, or Terraform. For detailed information and\nexamples, see the Cloud Run\n[Authenticate requests](/run/docs/authenticating/overview) guides. The topics\ncovered in the Cloud Run guides also apply to functions created using the\n[Cloud Functions v2 API](/functions/docs/apis), since v2 functions also\nuse the\n[Cloud Run Invoker role](/run/docs/reference/iam/roles#run.invoker)\n(`roles/run.invoker`).\n\nTo invoke an authenticated function, the underlying\n**principal** must meet the following requirements:\n\n- Have permission to invoke the function.\n- Provide an ID token when it invokes the function.\n\nCloud Run functions supports two different kinds of identities, which are also\ncalled **principals**:\n\n- Service accounts: These are special accounts that serve as the identity of a non-person, like a function or an application or a VM. They give you a way to authenticate these non-persons.\n- User accounts: These accounts represent people, either as individual Google Account holders or as part of a Google-controlled entity like a Google Group.\n\nSee the [IAM overview](/iam/docs/overview) to learn more about\nbasic IAM concepts.\n\nTo invoke an authenticated function, the principal must have the invoker\nIAM **permission**:\n\n- `run.routes.invoke`. This is usually through the [Cloud Run Invoker role](/run/docs/reference/iam/roles#run.invoker). This permission must be assigned on the Cloud Run service resource.\n\nTo grant these permissions, follow the steps in the\nCloud Run\n[Authenticating service-to-service](/run/docs/authenticating/service-to-service#set-up-sa) guide.\n\nFor permission to create, update, or perform other administrative actions on a\nfunction, the principal must have an appropriate **role** . Roles include permissions that define the actions that the principal is allowed to do. See\n[Using IAM to Authorize Access](/functions/docs/securing/managing-access-iam)\nfor more information.\n\nEvent-driven functions can only be invoked by the event source that they're\nsubscribed to. HTTP functions, however, can be invoked by different identity\ntypes originating from different places, such as by a developer testing the\nfunction or by another service using the function. Identities must provide an ID\ntoken for authentication. The account in use must also have the appropriate\npermissions."]]
