Allowing public (unauthenticated) access

Use this option if your service is a public API or website.

You can allow unauthenticated invocations to a service by assigning the IAM Cloud Run Invoker role to the allUsers member type, at any time using the console or the gcloud command line:


When creating a new service, you can allow unauthenticated invocations by checking the checkbox labelled Allow unauthenticated invocations.

To allow unauthenticated invocations for an existing service:

  1. Go to the Google Cloud Console:

    Go to Google Cloud Console

  2. Select the service you want to make public.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. In the Add members field, allUsers

  5. Select the Cloud Run Invoker role from the Select a role drop-down menu.

  6. Click Add.

Command line

When creating a new service with gcloud run deploy, you are prompted to "Allow unauthenticated access".

Alternatively, when you use the gcloud run deploy command, you can specify explicitly whether or not to make your service publicly accessible:

gcloud run deploy SERVICE ... --allow-unauthenticated

To allow unauthenticated invocations for an existing service, grant the special allUsers member type the roles/run.invoker role on the service:

  gcloud run services add-iam-policy-binding SERVICE \
    --member="allUsers" \


Create a file named policy.yaml with the following content:

- members:
  - allUsers
  role: roles/run.invoker

Allow unauthenticated invocations for the existing SERVICE using:

gcloud run services set-iam-policy SERVICE policy.yaml