Cloud Run IAM Roles

Curated roles

The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Run (fully managed), and lists the permissions that are contained in each role.

Roles can be granted to users on an entire project or on individual services. Read Managing access using IAM to learn more.

Roles only apply to Cloud Run (fully managed) services, they do not apply to Cloud Run (fully managed) domain mappings. The Project > Editor role is needed to create or update domain mappings.

Role Description Permissions
roles/run.admin Can create, update, and delete services.
Can get and set IAM policies.
Requires additional configuration in order to deploy services.		 run.services.get
run.services.list
run.services.create
run.services.update
run.services.delete
run.services.getIamPolicy
run.services.setIamPolicy
run.routes.get
run.routes.list
run.routes.invoke
run.configurations.get
run.configurations.list
run.revisions.get
run.revisions.list
run.locations.get
run.locations.list
roles/run.viewer Can view services.
Can get IAM policies.		 run.services.get
run.services.list
run.services.getIamPolicy
run.routes.get
run.routes.list
run.configurations.get
run.configurations.list
run.revisions.get
run.revisions.list
run.locations.get
run.locations.list
roles/run.invoker Can invoke services. run.routes.invoke

For a reference describing the IAM roles contained in each IAM permission, refer to Cloud Run IAM Permissions.

Custom roles

For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles.

If the role contains permissions that let a developer deploy services, then you must perform the additional configuration below.

Deployment permissions

A user needs the following permissions to deploy new Cloud Run services or revisions:

  • run.services.create and run.services.update on the project level. Typically assigned through the roles/run.admin role. It can be changed in the project permissions admin page.
  • iam.serviceAccounts.actAs for the Cloud Run runtime service account. By default, this is PROJECT_NUMBER-compute@developer.gserviceaccount.com. The permission is typically assigned through the roles/iam.serviceAccountUser role.

To assign the IAM Service Account User role on the Cloud Run runtime service account:

Console UI

  1. Go to the Service accounts page of the Google Cloud Console:

    Go to Service accounts

  2. Select the Runtime Service Account (PROJECT_NUMBER-compute@developer.gserviceaccount.com) from the table.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. Click the Add member button.

  5. Enter the member (e.g. user or group email) that matches the member you're granting the Admin or Developer role to.

  6. In the Select a role dropdown, select the Service Accounts > Service Account User role.

  7. Click Save.

gcloud

  1. Use the gcloud iam service-accounts add-iam-policy-binding command, replacing [VALUES_IN_BRACKETS] with appropriate values:
gcloud iam service-accounts add-iam-policy-binding \
  PROJECT_NUMBER-compute@developer.gserviceaccount.com \
  --member="[MEMBER]" \
  --role="roles/iam.serviceAccountUser"

Optional permissions for Cloud Run users

The following optional permissions can be considered when configuring accounts with minimal permission set:

  • monitoring.timeSeries.list on the project level. Typically assigned through the roles/monitoring.viewer role. It allows user to access metrics generated by their service. For more information, go to the Stackdriver documentation for Access Control.
  • logging.logEntries.list on the project level. Typically assigned through the roles/logging.viewer role. It allows user to access logs generated by their service. For more information, go to the Access Control guide in the Stackdriver Logging documentation.