Authenticating developers

In addition to administrative actions such as creating, updating, and deleting services, developers often want to test services privately before releasing them.

Before you start

Make sure you grant permissions to access the services you are authenticating to. You must grant the Cloud Run Invoker role to the developer or group of developers:

Console UI

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Select the service.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. Click Add members.

  5. In the Add members field, enter the developer account email.

  6. Select the Cloud Run Invoker role from the Select a role drop-down menu.

  7. Click Save.


Use the gcloud run services add-iam-policy-binding command:

gcloud run services add-iam-policy-binding SERVICE \
  --member='USER:EMAIL' \


  • SERVICE is the name of the service.
  • USER is the value user or group depending on whether you are authorizing a single developer or a group.
  • EMAIL is the email account.

    For example:

    gcloud run services add-iam-policy-binding myservice \
    --member='' \

Testing your private service

The easiest way to test a service that requires authentication is to use a tool like curl and pass an auth token in the Authorization header:

curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" SERVICE_URL

In order for the curl command to work, you must pass a valid identity token for a user with the run.routes.invoke permission, such as the Cloud Run Admin or Cloud Run Invoker. See Cloud Run IAM Roles for the full list of roles and their associated permissions.

As shown in the example, in order to get a valid identity token for the identity currently logged into gcloud, you can use gcloud auth print-identity-token. Note that the ID tokens generated using the gcloud command should be used only in a development setting because it doesn't require 'audience' to be specified. Requiring audience reduces the risk of replay attacks. In contrast, audience is required when generating tokens from service accounts.

For convenient reuse, you can create a command-line alias in your Linux or macOS shell profile:

alias gcurl='curl --header "Authorization: Bearer $(gcloud auth print-identity-token)"'

Use it to make requests to your services:


To test a website or API in your browser, you can use browser extensions that modify HTTP request headers.