By default, only project owners and editors can create, update, delete, or invoke services, and only project owners and Cloud Run Admins can modify Identity and Access Management (IAM) policies—for example, make a service public. Learn more about Cloud Run IAM roles.
To grant other users or groups the ability to perform these actions, you can use IAM to grant roles to different members.
Controlling access on an individual service
If you want to control access on a per-service basis, you can use per-service IAM.
Making a service public
Console UI
Go to the Google Cloud console:
Select the service you want to make public.
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field,
allUsers
Select the Cloud Run Invoker role from the Select a role drop-down menu.
Click Add.
gcloud
You can make a service publicly accessible by adding the special allUsers
member type to a service and granting it the roles/run.invoker
role:
gcloud run services add-iam-policy-binding [SERVICE_NAME] \ --member="allUsers" \ --role="roles/run.invoker"
Additionally, when you deploy your service with the
gcloud run deploy
command, you can specify whether
or not to make your service publicly accessible:
gcloud run deploy [SERVICE_NAME] ... --allow-unauthenticated
When creating a new service, you will be prompted if you want to "allow unauthenticated access." Answering yes will perform the actions above to make the service publicly available. Answering no will leave the service private.
Domain Restricted Sharing
If the project is subject to the domain restricted sharing constraint in an organization policy, you will be unable to create public services. We recommend that you create all projects in a folder not subject to this restriction, and remove it on existing projects by restoring the default constraint on the project.
Adding users
Console UI
Go to the Google Cloud console:
Select the service you want to add users to.
Click Show Info Panel in the top right corner to show the Permissions tab.
In the Add members field, enter one or more identities that need access to your service.
Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.
Click Add.
gcloud
Use the gcloud run services add-iam-policy-binding
command:
gcloud run services add-iam-policy-binding SERVICE_NAME \ --member=MEMBER_TYPE \ --role=ROLE
where SERVICE_NAME
is the service name,
MEMBER_TYPE
is the member type
(e.g. user:email@domain.com
), and ROLE
is the role.
For a list of acceptable values for MEMBER_TYPE
, see
the IAM concepts page.
For a list of acceptable values for ROLE
, see
Cloud Run IAM roles.
Removing users
Console UI
Go to the Google Cloud console:
Select the service you want to remove users from.
Click Show Info Panel in the top right corner to show the Permissions tab.
Search for the user you want to remove, or expand a role the user has.
Click the delete trash can next to the member type within the role to remove the role from the member.
gcloud
Use the gcloud run services remove-iam-policy-binding
command:
gcloud run services remove-iam-policy-binding SERVICE_NAME \ --member=MEMBER_TYPE \ --role=ROLE
where SERVICE_NAME
is the service name,
MEMBER_TYPE
is the member type
(e.g. user:email@domain.com
), and ROLE
is the role.
For a list of acceptable values for MEMBER_TYPE
, see
the IAM concepts page.
For a list of acceptable values for ROLE
, see
Cloud Run IAM roles.
Bulk addition or removal of users
Console UI
Go to the Google Cloud console:
Select the service you want to add users to or remove users from.
Click Show Info Panel in the top right corner to show the Permissions tab.
If you want to add users:
In the Add members field, enter multiple identities that need access to your service.
Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.
Click Add.
If you want to remove users:
Search for the user you want to remove, or expand a role the user has.
Click the delete trash can next to the member type within the role to remove the role from the member.
gcloud
Create an IAM policy:
cat <<EOF > policy.json { "bindings": [ { "role": ROLE, "members": [ MEMBER_TYPE ] } ] } EOF
Use the gcloud run services set-iam-policy
command:
gcloud run services set-iam-policy SERVICE_NAME policy.json
For a list of acceptable values for MEMBER_TYPE
, see
the IAM concepts page.
For a list of acceptable values for ROLE
, see
Cloud Run IAM roles.
Viewing users
Console UI
Go to the Google Cloud console:
Select the service you want to view users and roles.
Click Show Info Panel in the top right corner to show the Permissions tab.
All users will be shown, grouped by role granted.
gcloud
Use the gcloud run services get-iam-policy
command:
gcloud run services get-iam-policy SERVICE_NAME
Controlling access on all services in a project
If you want to grant roles to members on all services in a project, you can use project-level IAM.
Console UI
Go to the Google Cloud console:
Find the user you want to grant a project-wide role.
Click the edit Pencil on the right side of the user's row.
Click Add another role and pick the desired role.
Click save.
gcloud
Use the gcloud projects add-iam-policy-binding
command:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=MEMBER_TYPE \ --role=ROLE
where MEMBER_TYPE
is the member type
(e.g. user:email@domain.com
), and ROLE
is the
role (e.g. roles/run.admin
).
Next steps
Learn how to securely authenticate developers, services, and users to the services you just secured.