Cloud Run IAM roles

This page lists the Identity and Access Management (IAM) predefined roles for accessing Cloud Run resources.

Predefined roles

The following table describes IAM roles that are associated with Cloud Run, and lists the permissions that are contained in each role.

Roles can be granted to users on an entire project or on individual services. Read Managing access using IAM to learn more.

Roles only apply to Cloud Run services or jobs, they do not apply to Cloud Run domain mappings. The Project > Editor role is needed to create or update domain mappings.

Permissions

(roles/run.admin)

Full control over all Cloud Run resources.

Lowest-level resources where you can grant this role:

  • Cloud Run service
  • Cloud Run job

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

run.*

(roles/run.developer)

Read and write access to all Cloud Run resources.

Lowest-level resources where you can grant this role:

  • Cloud Run service
  • Cloud Run job

recommender.locations.*

recommender.runServiceCostInsights.*

recommender.runServiceCostRecommendations.*

recommender.runServiceIdentityInsights.*

recommender.runServiceIdentityRecommendations.*

recommender.runServicePerformanceInsights.*

recommender.runServicePerformanceRecommendations.*

recommender.runServiceSecurityInsights.*

recommender.runServiceSecurityRecommendations.*

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.executions.*

run.jobs.create

run.jobs.delete

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.jobs.run

run.jobs.runWithOverrides

run.jobs.update

run.locations.list

run.operations.*

run.revisions.*

run.routes.*

run.services.create

run.services.delete

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.services.update

run.tasks.*

(roles/run.invoker)

Can invoke a Cloud Run service.

Lowest-level resources where you can grant this role:

  • Cloud Run service
  • Cloud Run job

run.executions.cancel

run.jobs.run

run.routes.invoke

(roles/run.viewer)

Can view the state of all Cloud Run resources, including IAM policies.

Lowest-level resources where you can grant this role:

  • Cloud Run service
  • Cloud Run job

recommender.locations.*

recommender.runServiceCostInsights.get

recommender.runServiceCostInsights.list

recommender.runServiceCostRecommendations.get

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityInsights.get

recommender.runServiceIdentityInsights.list

recommender.runServiceIdentityRecommendations.get

recommender.runServiceIdentityRecommendations.list

recommender.runServicePerformanceInsights.get

recommender.runServicePerformanceInsights.list

recommender.runServicePerformanceRecommendations.get

recommender.runServicePerformanceRecommendations.list

recommender.runServiceSecurityInsights.get

recommender.runServiceSecurityInsights.list

recommender.runServiceSecurityRecommendations.get

recommender.runServiceSecurityRecommendations.list

resourcemanager.projects.get

resourcemanager.projects.list

run.configurations.*

run.executions.get

run.executions.list

run.jobs.get

run.jobs.getIamPolicy

run.jobs.list

run.jobs.listEffectiveTags

run.jobs.listTagBindings

run.locations.list

run.operations.get

run.operations.list

run.revisions.get

run.revisions.list

run.routes.get

run.routes.list

run.services.get

run.services.getIamPolicy

run.services.list

run.services.listEffectiveTags

run.services.listTagBindings

run.tasks.*

For a reference describing the IAM permissions contained in each IAM role, refer to Cloud Run IAM Permissions.

Custom roles

For developers that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles.

If the role contains permissions that let a developer deploy services, then you must perform the additional configuration below.

Deployment permissions

A user needs the following permissions to deploy new Cloud Run services, service revisions or jobs, as noted:

  • For jobs and services, iam.serviceAccounts.actAs for the Cloud Run runtime service account. By default, this is PROJECT_NUMBER-compute@developer.gserviceaccount.com. The permission is typically assigned through the roles/iam.serviceAccountUser role.
  • For services, run.services.create and run.services.update on the project level are required. run.services.get and run.operations.get are not strictly required, but are recommended in order to read the status of the service. Typically assigned through the roles/run.admin role. It can be changed in the project permissions admin page.
  • For jobs, run.jobs.create and run.jobs.update on the project level are required to create Cloud Run jobs with custom roles. To run existing jobs, run.jobs.run on an individual job is sufficient. run.jobs.run can be set at the job level or the project level. run.jobs.get and run.operations.get are not strictly required, but are recommended in order to read the status of the job.

To assign the IAM Service Account User role on the Cloud Run runtime service account:

Console UI

  1. Go to the Service accounts page of the Google Cloud console:

    Go to Service accounts

  2. Click the email address of the Runtime Service Account (PROJECT_NUMBER-compute@developer.gserviceaccount.com).

  3. Click the Permissions tab.

  4. Click the Grant access button.

  5. Enter the principal (e.g. user or group email) that matches the principal you're granting the Admin or Developer role to.

  6. In the Select a role dropdown, select the Service Accounts > Service Account User role.

  7. Click Save.

gcloud

Use the gcloud iam service-accounts add-iam-policy-binding command, replacing the highlighted variables with appropriate values:

 gcloud iam service-accounts add-iam-policy-binding \
  PROJECT_NUMBER-compute@developer.gserviceaccount.com \
  --member="PRINCIPAL" \
  --role="roles/iam.serviceAccountUser"
  

Replace PRINCIPAL with the principal you are adding the binding for, using in the form user|group|serviceAccount:email or domain:domain. For example:

  • user:test-user@gmail.com
  • group:admins@example.com
  • serviceAccount:test123@example.domain.com
  • domain:example.domain.com

In addition to the developer needing these permissions, the Cloud Run service agent needs to be able to access the deployed container, which is the case by default.

Optional permissions for Cloud Run users

The following optional permissions can be considered when configuring accounts with minimal permission set:

  • monitoring.timeSeries.list on the project level. Typically assigned through the roles/monitoring.viewer role. It allows user to access metrics generated by their service. For more information, go to the Stackdriver documentation for Access Control.
  • logging.logEntries.list on the project level. Typically assigned through the roles/logging.viewer role. It allows user to access logs generated by their service. For more information, go to the Access Control guide in the Stackdriver Logging documentation.