Authenticating developers

In addition to administrative actions such as creating, updating, and deleting services, developers often want to test services privately before releasing them.

Before you start

Make sure you grant permissions to access the services you are authenticating to. You must grant the Cloud Run Invoker role to the developer or group of developers:

Console UI

Go to the Google Cloud Platform Console:
Go to Google Cloud Platform Console
Select the service.
Click Show Info Panel in the top right corner to show the Permissions tab.
Click Add members.
In the Add members field, enter the developer account email.
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Save.

GCloud

Use the gcloud beta run services add-iam-policy-binding command:

gcloud beta run services add-iam-policy-binding SERVICE \
  --member='[USER]:[EMAIL]' \
  --role='roles/run.invoker'

where

[SERVICE] is the name of the service.
[USER] is the value user or group depending on whether you are authorizing a single developer or a group.

[EMAIL] is the email account.

For example:

gcloud beta run services add-iam-policy-binding myservice \
--member='user:test-user@gmail.com' \
--role='roles/run.invoker'

Authenticating

The easiest way to test services is to use a tool like curl and pass an auth token in the Authorization header:

curl -H "Authorization: Bearer $(gcloud config config-helper --format 'value(credential.id_token)')" [SERVICE_URL]

In order for the curl command to work, you must pass a valid identity token for a user with the run.routes.invoke permission, such as the Cloud Run Admin or Cloud Run Invoker. See Cloud Run IAM Roles for the full list of roles and their assoiciated permissions.

As shown in the example, in order to get a valid identity token, you can use gcloud config config-helper --format 'value(credential.id_token)'.

For convenient reuse, you can create a command-line alias in your Linux or macOS shell profile:

alias gcurl='curl --header "Authorization: Bearer $(gcloud config config-helper --format=value\(credential.id_token\))"'

Use it to make requests to your services:

gcurl [OPTIONAL_CURL_FLAGS] [SERVICE_URL]

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated May 28, 2019.