curl コマンドを使用するには、Cloud Run Admin や Cloud Run Invoker のような run.routes.invoke 権限を持つユーザーに、有効な ID トークンを渡す必要があります。ロールの一覧とそれに関連する権限については、Cloud Run IAM のロールをご覧ください。
gcloud CLI にログインしている ID の有効な ID トークンを取得するには、gcloud auth print-identity-token コマンドを使用します。サービスでの run.routes.invoke 権限がアカウントに付与されていれば、gcloud CLI で作成されたトークンを使用して、どのプロジェクトでも HTTP リクエストを呼び出せます。
開発目的の場合は、gcloud CLI で生成された ID トークンを使用します。ただし、このようなトークンにはオーディエンス クレームがないため、リプレイ攻撃を受けやすくなります。本番環境では、適切な対象を指定したサービス アカウントに対して発行された ID トークンを使用します。この方法は、トークンの使用を目的のサービスのみに制限することでセキュリティを強化します。Google アカウント以外の場合は、Workforce Identity 連携を使用して Cloud Run サービスを呼び出します。これにより、サービス アカウント キーをダウンロードする必要がなくなります。
サービスの開発と使用に必要な最小権限セットを割り当てることをおすすめします。サービスの IAM ポリシーは、必要最小限のユーザーとサービス アカウントに限定してください。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["# Authenticate developers\n\nIn addition to administrative actions such as creating, updating, and deleting\nservices, developers often want to test services privately before releasing\nthem. This option is for Cloud Run services and not Cloud Run\njobs.\n\nBefore you start\n----------------\n\nMake sure you grant permissions to access the services you are authenticating to.\nYou must grant the Cloud Run Invoker role to the developer or group of\ndevelopers: \n\n### Console UI\n\n1. Go to the Google Cloud console:\n\n [Go to Google Cloud console](https://console.cloud.google.com/run/)\n\n \u003cbr /\u003e\n\n2. Select the service, but don't click it.\n\n3. Click the **Permissions** tab in the right side panel. (You might need\n to first click **Show Info Panel** in the top right corner.)\n\n4. Click **Add Principal**.\n\n5. In the **New principals** field, enter the developer account email.\n\n6. Select the `Cloud Run Invoker` role from the **Select a role**\n drop-down menu.\n\n7. Click **Save**.\n\n### gcloud\n\nUse the `gcloud run services add-iam-policy-binding` command: \n\n```bash\ngcloud run services add-iam-policy-binding SERVICE \\\n --member='\u003cvar translate=\"no\"\u003eUSER\u003c/var\u003e:\u003cvar translate=\"no\"\u003eEMAIL\u003c/var\u003e' \\\n --role='roles/run.invoker'\n```\n\nwhere\n\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e is the name of the service.\n- \u003cvar translate=\"no\"\u003eUSER\u003c/var\u003e is the value `user` or `group` depending on whether you are authorizing a single developer or a group.\n- \u003cvar translate=\"no\"\u003eEMAIL\u003c/var\u003e is the email account.\n\n For example: \n\n ```bash\n gcloud run services add-iam-policy-binding myservice \\\n --member='user:test-user@gmail.com' \\\n --role='roles/run.invoker'\n ```\n\n### Terraform\n\n\u003cbr /\u003e\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\nAdd the following to a [`google_cloud_run_v2_service`](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service) resource in your Terraform configuration: \n\n\u003cbr /\u003e\n\n resource \"google_cloud_run_v2_service_iam_binding\" \"binding\" {\n project = \"\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\"\n location = \"\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\"\n name = \"\u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e\"\n role = \"roles/run.invoker\"\n members = [\n \"user:\u003cvar translate=\"no\"\u003eEMAIL\u003c/var\u003e\",\n ]\n }\n\nReplace:\n\n- \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e with the project ID the service belongs to.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e with the location of the Cloud Run service.\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with the name of the Cloud Run service to bind the IAM policy to.\n- \u003cvar translate=\"no\"\u003eEMAIL\u003c/var\u003e with the user's email account you are granting permissions for.\n\nTest your private service\n-------------------------\n\nYou can use the Cloud Run proxy or `curl` to test your private service.\n\n### Use the Cloud Run proxy in Google Cloud CLI\n\nThe easiest way for you to test private services is to use the\n[Cloud Run proxy in Google Cloud CLI](/sdk/gcloud/reference/run/services/proxy).\nThis proxies the private service to `http://localhost:8080`\n(or to the port specified with `--port`),\nproviding the token of the active account or another token you specify.\nThis lets you use a web browser or a tool like `curl`.\nThis is the recommended way to test privately a website or API in your browser.\n\nYou can proxy a service locally using the following command line in a Linux,\nmacOS, [WSL (preferred)](https://docs.microsoft.com/en-us/windows/wsl/install-win10),\nor [cygwin](https://cygwin.com/install.html) environment: \n\n```bash\ngcloud run services proxy SERVICE --project PROJECT-ID\n```\n\n### Use `curl`\n\nAlternatively, you can test private services without the proxy by using a tool\nlike `curl` and by passing an auth token in the `Authorization` header: \n\n```bash\ncurl -H \"Authorization: Bearer $(gcloud auth print-identity-token)\" SERVICE_URL\n```\n\nFor the `curl` command to work, you must pass a valid ID token\nfor a user with the `run.routes.invoke` permission, such as the\n*Cloud Run Admin* or *Cloud Run Invoker* . See\n[Cloud Run IAM Roles](/run/docs/reference/iam/roles) for the full\nlist of roles and their associated permissions.\n| **Note:** To use the `curl` command on Microsoft Windows, you might need the [WSL (preferred)](https://docs.microsoft.com/en-us/windows/wsl/install-win10) or [cygwin](https://cygwin.com/install.html) command line.\n\nTo get a valid ID token for the identity logged into the gcloud CLI,\nuse the [`gcloud auth print-identity-token`](/sdk/gcloud/reference/auth/print-identity-token)\ncommand. You can use tokens created by the gcloud CLI to invoke HTTP\nrequests in any project, as long as your account has the `run.routes.invoke`\npermission on the service.\n\nFor development purposes, use gcloud CLI-generated ID tokens. However,\nnote that such tokens lack an audience claim, which makes them susceptible to\nreplay attacks. In production environments, use ID tokens issued for a service\naccount with the appropriate audience specified. This approach enhances security\nby restricting token usage to the intended service only. For non-Google Accounts,\nuse [Workforce Identity Federation](/iam/docs/workload-identity-federation)\nto invoke your Cloud Run service so you don't have to download a\nservice account key.\n\nWe recommend that you allocate the [minimum set of\npermissions](/iam/docs/best-practices-service-accounts#limit-service-account-privileges)\nrequired to develop and use your services. Make sure that IAM\npolicies on your services are limited to the minimum number of users and\nservice accounts."]]