Allowing public (unauthenticated) access

This option is for a Cloud Run service that is a public API or website.

You can allow unauthenticated invocations to a service by assigning the Cloud Run Invoker IAM role to the allUsers member type.

You must have the run.services.setIamPolicy permission to configure authentication on a Cloud Run service. This permission is included in both the Owner and Cloud Run Admin roles. See Cloud Run IAM roles for the full list of roles and their associated permissions.

Console UI

For an existing Cloud Run service:

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the service you want to make public. (Don't click the service itself.)

  3. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

  4. Click Add principal.

In the New principals field, enter the value allUsers

  1. From the Role drop-down menu, select the Cloud Run Invoker role.

  2. Click Save.

  3. You will be prompted to verify that you would like to make this resource public. Click Allow public access to apply the change to the service IAM settings.

For a new service you are creating, create the service but make sure you select Allow unauthenticated invocations in the Authentication tab to make the service publicly available. Selecting Require authentication will make the service private.

gcloud

To make a service publicly accessible, use the gcloud run services command to add the special allUsers member type to a service and grant it the roles/run.invoker role:

  gcloud run services add-iam-policy-binding [SERVICE_NAME] \
    --member="allUsers" \
    --role="roles/run.invoker"

Run the gcloud run deploy command to make your service publicly accessible when you deploy your service:

gcloud run deploy [SERVICE_NAME] ... --allow-unauthenticated

YAML

Create a file named policy.yaml with the following content:

bindings:
- members:
  - allUsers
  role: roles/run.invoker

Allow unauthenticated invocations for the existing SERVICE using:

gcloud run services set-iam-policy SERVICE policy.yaml

Terraform

To create a Cloud Run service, add the following to your to your existing main.tf file:

resource "google_cloud_run_v2_service" "default" {
  name     = "public-service"
  location = "us-central1"

  deletion_protection = false # set to "true" in production

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

To update the service IAM binding for roles/run.invoker, add the following resource referencing your Cloud Run service:

resource "google_cloud_run_service_iam_binding" "default" {
  location = google_cloud_run_v2_service.default.location
  service  = google_cloud_run_v2_service.default.name
  role     = "roles/run.invoker"
  members = [
    "allUsers"
  ]
}

This binding is only authoritative for the given role. Other IAM bindings within the service IAM policy are preserved.

Domain restricted sharing

If the project is subject to the domain restricted sharing constraint in an organization policy, you will be unable to create public services by default. You can use tags and conditional policy to exempt specific services from this constraint. For details, refer to the blog post on creating public Cloud Run services when domain restricted sharing is enforced.