Use this option if your service is a public API or website.
You can allow unauthenticated invocations to a service by assigning the IAM
Cloud Run Invoker role to the allUsers member type, at any time using
the console or the gcloud command line:
Console UI
Go to the Google Cloud Platform Console:
Select the service you want to make public.
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field,
allUsersSelect the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
You can also allow unauthenticated invocations to a service when
you deploy: check the checkbox labelled Allow unauthenticated invocations if
you use the console. If you use the gcloud command line
gcloud beta run deploy, you are prompted to
allow unauthenticated access. Responding "yes" will perform the actions
described above in the gcloud tab to make the service publicly available.
Responding "no" leaves the service private.
GCloud
You can make a service publicly accessible by adding the special allUsers
member type to a service and granting it the roles/run.invoker
role:
gcloud beta run services add-iam-policy-binding [SERVICE_NAME] \
--member="allUsers" \
--role="roles/run.invoker"
This role is included in gcloud beta run services update with the
--allow-unauthenticated flag:
gcloud beta run services update [SERVICE_NAME] --allow-unauthenticated
Additionally, when you deploy your service with the
gcloud beta run deploy command, you can specify whether
or not to make your service publicly accessible:
gcloud beta run deploy [SERVICE_NAME] ... --allow-unauthenticated
Subsequent deployments lacking the --allow-unauthenticated flag will not
change the IAM policy.
