In addition to administrative actions such as creating, updating, and deleting services, developers often want to test services privately before releasing them.
Before you start
Make sure you grant permissions to access the services you are authenticating to. You must grant the Cloud Run Invoker role to the developer or group of developers:
Go to the Google Cloud Platform Console:
Select the service.
Click Show Info Panel in the top right corner to show the Permissions tab.
Click Add members.
In the Add members field, enter the developer account email.
Cloud Run Invokerrole from the Select a role drop-down menu.
gcloud beta run services add-iam-policy-binding command:
gcloud beta run services add-iam-policy-binding SERVICE \ --member='[USER]:[EMAIL]' \ --role='roles/run.invoker'
- [SERVICE] is the name of the service.
- [USER] is the value
groupdepending on whether you are authorizing a single developer or a group.
[EMAIL] is the email account.
gcloud beta run services add-iam-policy-binding myservice \ --member='user:email@example.com' \ --role='roles/run.invoker'
The easiest way to test services is to use a tool like
curl and pass an auth
token in the
curl -H "Authorization: Bearer $(gcloud config config-helper --format 'value(credential.id_token)')" [SERVICE_URL]
In order for the
curl command to work, you must pass a valid identity token
for a user with the
run.routes.invoke permission, such as the
Cloud Run Admin or Cloud Run Invoker. See
Cloud Run IAM Roles for the full
list of roles and their assoiciated permissions.
As shown in the example, in order to get a valid identity token, you can use
gcloud config config-helper --format 'value(credential.id_token)'.
For convenient reuse, you can create a command-line alias in your Linux or macOS shell profile:
alias gcurl='curl --header "Authorization: Bearer $(gcloud config config-helper --format=value\(credential.id_token\))"'
Use it to make requests to your services:
gcurl [OPTIONAL_CURL_FLAGS] [SERVICE_URL]