Allowing public (unauthenticated) access

Use this option if your service is a public API or website.

You can allow unauthenticated invocations to a service by assigning the IAM Cloud Run Invoker role to the allUsers member type, at any time using the console or the gcloud command line:

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the service you want to make public.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. In the Add members field, allUsers

  5. Select the Cloud Run Invoker role from the Select a role drop-down menu.

  6. Click Add.

You can also allow unauthenticated invocations to a service when you deploy: check the checkbox labelled Allow unauthenticated invocations if you use the console. If you use the gcloud command line gcloud beta run deploy, you are prompted to allow unauthenticated access. Responding "yes" will perform the actions described above in the gcloud tab to make the service publicly available. Responding "no" leaves the service private.


You can make a service publicly accessible by adding the special allUsers member type to a service and granting it the roles/run.invoker role:

  gcloud beta run services add-iam-policy-binding [SERVICE_NAME] \
    --member="allUsers" \

This role is included in gcloud beta run services update with the --allow-unauthenticated flag:

gcloud beta run services update [SERVICE_NAME] --allow-unauthenticated

Additionally, when you deploy your service with the gcloud beta run deploy command, you can specify whether or not to make your service publicly accessible:

gcloud beta run deploy [SERVICE_NAME] ... --allow-unauthenticated

Subsequent deployments lacking the --allow-unauthenticated flag will not change the IAM policy.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Run Documentation