Use this option if your service is a public API or website.
You can allow unauthenticated invocations to a service by assigning the IAM
Cloud Run Invoker role to the allUsers
member type, at any time using
the console or the gcloud command line:
Console
When creating a new service, you can allow unauthenticated invocations by checking the checkbox labelled Allow unauthenticated invocations.
To allow unauthenticated invocations for an existing service:
Go to the Google Cloud console:
Select the service you want to make public.
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field,
allUsers
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
Command line
When creating a new service with gcloud run deploy
, you are
prompted to "Allow unauthenticated access".
Alternatively, when you use the gcloud run deploy
command, you can
specify explicitly whether or not to make your service publicly accessible:
gcloud run deploy SERVICE ... --allow-unauthenticated
To allow unauthenticated invocations for an existing service, grant the
special allUsers
member type the roles/run.invoker
role on the service:
gcloud run services add-iam-policy-binding SERVICE \ --member="allUsers" \ --role="roles/run.invoker"
YAML
Create a file named policy.yaml
with the following content:
bindings:
- members:
- allUsers
role: roles/run.invoker
Allow unauthenticated invocations for the existing SERVICE using:
gcloud run services set-iam-policy SERVICE policy.yaml
Terraform
The following Terraform code creates a Cloud Run service.
Replace us-docker.pkg.dev/cloudrun/container/hello
with a reference to your container.
The following Terraform code allows that service to be invoked without authentication.