Mapping custom domains

You can use a custom domain rather than the default address that Cloud Run and Cloud Run on GKE provide for a deployed service.

To use a custom domain for a service, you map your service to the custom domain, then update your DNS records. You can map a service to a domain, such as example.comor to a subdomain, such as

If you are using HTTPS, the following considerations apply:

  • For Cloud Run, a managed certificate for HTTPS connections is automatically issued when you map a service to a custom domain. Note that provisioning the SSL certificate should take about 15 minutes. You cannot upload and use your own certificates.

  • For Cloud Run on GKE, only HTTP is available by default. You can install a wildcard SSL certificate to enable SSL for all services mapped to domains included in the wildcard SSL certificate. For more information see Enabling HTTPS.

You can map multiple custom domains to the same Cloud Run service.

Before you begin

Purchase a new domain, unless you already have one that you want to use. You can use any domain name registrar, but if you use Google Domains, the domain is automatically verified for Cloud Run, so you won't have to go through the domain verification process.

Mapping a custom domain to a service

You can use the gcloud command line to map a custom domain to a service.


  1. Go to the Cloud Run domain mapping page:
    Domain mapping page

    Note that if your display window is too small, if you navigate to the Domain Mapping page from the main Cloud Run page, the Mapping Custom Domains button isn't displayed: you have to click the 3-dot vertical ellipse icon at the right of the page.

  2. In the Domain Mapping page, click Add Mapping.

  3. From the dropdown list in the Add Mapping form, select the service you are mapping the custom domain to:

    Add domain mapping

  4. Enter the domain name.

  5. Click Continue.

  6. For Cloud Run only (not for Cloud Run on GKE), you will need to verify the ownership of a domain before being able to use it, unless you purchased your domain from Google. If you want to map, you should verify ownership of For more information on verifying domain ownership, refer to Webmaster Central help

  7. Update your DNS records at your domain registrar web site using the DNS records displayed in the last step. You can display the records at any time by clicking DNS Records in the "..." action menu for a domain mapping.

  8. Click Done.

Command line

  1. For Cloud Run only, you must verify domain ownership the first time you use that domain in the Google Cloud Platform project, unless you purchased your custom domain from Google. If your ownership of the domain needs to be verified, open the Webmaster Central verification page:

    gcloud domains verify BASE-DOMAIN

    where BASE-DOMAIN is the base domain you want to verify. For example, if you want to map, you should verify the ownership of

    In Webmaster Central, complete domain ownership verification. For more information, refer to Webmaster Central help.

  2. Map your service to the custom domain:

    gcloud beta run domain-mappings create --service [SERVICE] --domain [DOMAIN]
    • Replace [SERVICE] with your service name.
    • Replace [DOMAIN] with your custom domain, for example, or
  3. Get the DNS record data you need to Update the DNS record at your DNS provider where you purchased the custom domain:

    gcloud beta run domain-mappings describe --domain [DOMAIN]

    Replace [DOMAIN] with your custom domain, for example, or

    You need all of the records returned under the heading resourceRecords.

  4. If you are using Cloud Run on GKE, reserve the IP address attached to the Load Balancer for the istio-ingressgateway service as a static IP:

    gcloud compute addresses create [ADDRESS-NAME] --addresses [EXTERNAL-IP] --region [REGION]


    • [ADDRESS-NAME] with the name you want to give your static IP.
    • [EXTERNAL-IP] with the IP address in the A record you obtained. in the previous step using gcloud beta run domain-mapping describe.
    • [REGION] with the region you are using. (Not the cluster zone.)

Base path mapping

The term base path refers to the URL path name that is after the domain name. For example, users is the base path of Cloud Run only allows you to map a domain to /, not to a specific base path. So any path routing has to be handled by using a router inside the service's container or by using Firebase Hosting.

Add your DNS records at your domain registrar

After you've mapped your service to a custom domain in Cloud Run, you need to update your DNS records at your domain registrar. As a convenience, Cloud Run generates and displays the DNS records you need to enter. You must add these records that point to the Cloud Run service at your domain registrar for the mapping to go into effect.

  1. Retrieve the DNS record information for your domain mapping using:


    1. Go to the Cloud Run domain mapping page:
      Domain mapping page

    2. Click the 3-dot vertical ellipse icon to the right of your service, then click DNS RECORDS to display all the DNS records:

    select DNS records

    Command line

    gcloud beta run domain-mappings describe --domain [DOMAIN]

    Replace [DOMAIN] with your custom domain, for example, or

    You need all of the records returned under the heading resourceRecords.

  2. Log in to your account at your domain registrar and then open the DNS configuration page.

  3. Locate the host records section of your domain's configuration page and then add each of the resource records that you received when you mapped your domain to your Cloud Run service.

  4. When you add each of the above DNS records to the account at the DNS provider:

    • Select the type returned in the DNS record in the previous step: A, or AAAA, or CNAME.
    • Use the name www to map to
    • Use the name @ to map
  5. Save your changes in the DNS configuration page of your domain's account. In most cases, it takes only a few minutes for these changes to take effect, but in some cases it can take up several hours, depending on the registrar, and on the Time-To-Live (TTL) of any previous DNS records for your domain.

  6. Test for success by browsing to your service at its new URL, for example Note that if you are testing with https:// in Cloud Run, it can take several minutes for the automatic SSL certificate to be issued before you can successfully use https://.

Adding verified domain owners users or service accounts

When a user verifies a domain, that domain is only verified to that user's account. This means that only that user can add more domain mappings that use that domain. So, to enable other users to add mappings that use that domain, you must add them as verified owners.

If you need to add verified owners of your domain to other users or service accounts, you can add permission through the Webmaster Central page:

  1. Navigate to this address in your web browser:

  2. Under Properties, click the domain for which you want to add a user or service account.

  3. Scroll down to the Verified owners list, click Add an owner, and then enter a Google Account email address or service account ID.

    To view a list of your service accounts, open the Service Accounts page in the GCP Console:

    Go to Service Accounts page

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Run Documentation