Access control with IAM

By default, only project owners and editors can create, update, delete, or invoke services and jobs, and only project owners and Cloud Run Admins can modify Identity and Access Management (IAM) policies—for example, to make a service public. Refer to Cloud Run IAM roles for details.

To grant other principals or groups the ability to perform these actions, use IAM to grant roles to different principals.

Cloud Run predefined roles

Compared to basic roles (Owner, Editor, and Viewer), the following predefined roles have finer-grained access control for accessing Cloud Run resources:

Role Description
Cloud Run Admin (roles/run.admin) Can create, update, and delete services and jobs, can get, list, delete job executions.
Can invoke services and jobs, can cancel job executions.
Can get and set IAM policies.
Can view, apply and dismiss recommendations.
Requires additional configuration in order to deploy services.
Cloud Run Developer (roles/run.developer) Can create, update, and delete services and jobs, can get, list, delete job executions.
Can get but not set IAM policies.
Can view, apply and dismiss recommendations.
Cloud Run Viewer (roles/run.viewer) Can view services, jobs and job executions.
Can get IAM policies.
Can view recommendations.
Cloud Run Invoker (roles/run.invoker) Can invoke services and jobs, can cancel job executions.

Control access on an individual service or job

You can control access on a per-service or per-job basis using IAM.

Make a service public

This option is for a Cloud Run service that is a public API or website.

You can allow unauthenticated invocations to a service by assigning the Cloud Run Invoker IAM role to the allUsers member type.

You must have the run.services.setIamPolicy permission to configure authentication on a Cloud Run service. This permission is included in both the Owner and Cloud Run Admin roles. See Cloud Run IAM roles for the full list of roles and their associated permissions.

Console UI

For an existing Cloud Run service:

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the service you want to make public. (Don't click the service itself.)

  3. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

  4. Click Add principal.

In the New principals field, enter the value allUsers

  1. From the Role drop-down menu, select the Cloud Run Invoker role.

  2. Click Save.

  3. You will be prompted to verify that you would like to make this resource public. Click Allow public access to apply the change to the service IAM settings.

For a new service you are creating, create the service but make sure you select Allow unauthenticated invocations in the Authentication tab to make the service publicly available. Selecting Require authentication will make the service private.

gcloud

To make a service publicly accessible, use the gcloud run services command to add the special allUsers member type to a service and grant it the roles/run.invoker role:

  gcloud run services add-iam-policy-binding [SERVICE_NAME] \
    --member="allUsers" \
    --role="roles/run.invoker"

Run the gcloud run deploy command to make your service publicly accessible when you deploy your service:

gcloud run deploy [SERVICE_NAME] ... --allow-unauthenticated

YAML

Create a file named policy.yaml with the following content:

bindings:
- members:
  - allUsers
  role: roles/run.invoker

Allow unauthenticated invocations for the existing SERVICE using:

gcloud run services set-iam-policy SERVICE policy.yaml

Terraform

To create a Cloud Run service, add the following to your to your existing main.tf file:

resource "google_cloud_run_v2_service" "default" {
  name     = "public-service"
  location = "us-central1"

  deletion_protection = false # set to "true" in production

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

To update the service IAM binding for roles/run.invoker, add the following resource referencing your Cloud Run service:

resource "google_cloud_run_service_iam_binding" "default" {
  location = google_cloud_run_v2_service.default.location
  service  = google_cloud_run_v2_service.default.name
  role     = "roles/run.invoker"
  members = [
    "allUsers"
  ]
}

This binding is only authoritative for the given role. Other IAM bindings within the service IAM policy are preserved.

Domain restricted sharing

If the project is subject to the domain restricted sharing constraint in an organization policy, you will be unable to create public services by default. You can use tags and conditional policy to exempt specific services from this constraint. For details, refer to the blog post on creating public Cloud Run services when domain restricted sharing is enforced.

Add principals

You can add principals to a job or a service.

Add principals to a service

To add principals to a service:

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox next to the service that you want to add principals to. (Don't click the service itself.)

  3. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

  4. Click Add principal.

  5. In the New principals field, enter one or more identities that need access to your service.

  6. From the Role drop-down menu, select a role or roles The roles you select appear in the pane with a short description of the permissions they grant.

  7. Click Save.

gcloud

Use the gcloud run services add-iam-policy-binding command:

gcloud run services add-iam-policy-binding SERVICE_NAME \
  --member=MEMBER_TYPE \
  --role=ROLE

where SERVICE_NAME is the service name, MEMBER_TYPE is the principal type (e.g. user:email@domain.com), and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the IAM concepts page. For a list of acceptable values for ROLE, see Cloud Run IAM roles.

Add principals to a job

To add principals to a job:

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the job you want to add principals to. (Don't click on the job itself.)

  3. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

  4. Click Add principal.

  5. In the New principals textbox, enter one or more identities that need access to your job.

  6. From the Role dropdown menu, select a role or roles The roles you select appear in the pane with a short description of the permissions they grant.

  7. Click Save.

gcloud

Use the gcloud run jobs add-iam-policy-binding command:

gcloud run jobs add-iam-policy-binding JOB_NAME \
  --member=MEMBER_TYPE \
  --role=ROLE

where JOB_NAME is the job name, MEMBER_TYPE is the principal type (e.g. user:email@domain.com), and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the IAM concepts page. For a list of acceptable values for ROLE, see Cloud Run IAM roles.

Remove principals from a role

You can remove principals from a service or a job.

Remove principals from a role for a service

To remove principals from a role for a service:

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the service you want to remove principals from. (Don't click on the service itself.)

  3. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

  4. Enter the principal you want to remove in the roles list filter, which displays all roles granted to that principal.

  5. Click the delete trash can next to the principal within the desired role to remove that role from the principal.

  6. In the confirmation dialog, you have the option to remove that principal from all roles in the service. Click Remove to remove the principal from the role.

gcloud

Use the gcloud run services remove-iam-policy-binding command:

  gcloud run services remove-iam-policy-binding SERVICE_NAME \
    --member=MEMBER_TYPE \
    --role=ROLE

where SERVICE_NAME is the service name, MEMBER_TYPE is the principal type (e.g. user:email@domain.com), and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the IAM concepts page. For a list of acceptable values for ROLE, see Cloud Run IAM roles.

Remove principals from a role for a job

To remove principals from a role for a job:

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the job you want to add principals to. (Don't click on the job itself.)

  3. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

  4. Enter the principal you want to remove in the roles list filter, which displays all roles granted to that principal.

  5. Click the delete trash can next to the principal within the desired role to remove that role from the principal.

  6. In the confirmation dialog, you have the option to remove that principal from all roles in the job. Click Remove to remove the principal from the role.

gcloud

Use the gcloud run jobs remove-iam-policy-binding command:

  gcloud run jobs remove-iam-policy-binding JOB_NAME \
    --member=MEMBER_TYPE \
    --role=ROLE

where JOB_NAME is the job name, MEMBER_TYPE is the principal type (e.g. user:email@domain.com), and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the IAM concepts page. For a list of acceptable values for ROLE, see Cloud Run IAM roles.

Bulk addition or removal of principals

You can do a bulk add or remove for services and for jobs.

Bulk addition and removal of principals for services

To do a bulk add or remove for a service:

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the service you want to add principals to or remove principals from. (Don't click on the service itself.)

  3. Select the service you want to add principals to or remove principals from.

  4. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

If you want to add principals:

  1. Click Add principal.

  2. In the New principals textbox, enter one or more identities that need access to your service.

  3. From the Role dropdown menu, select a role (or roles) The roles you select appear in the pane with a short description of the permissions they grant.

  4. Click Save.

If you want to remove principals:

  1. Enter the principal you want to remove in the roles list filter, which displays all roles granted to that principal.

  2. Click the delete trash can next to the principal within the desired role to remove that role from the principal.

  3. In the confirmation dialog, you have the option to remove that principal from all roles in the service. Click Remove to remove the principal from the role.

gcloud

Create an IAM policy:

cat <<EOF > policy.json
{
  "bindings": [
    {
      "role": ROLE,
      "members": [
        MEMBER_TYPE
      ]
    }
  ]
}
EOF

Use the gcloud run services set-iam-policy command:

gcloud run services set-iam-policy SERVICE_NAME policy.json

For a list of acceptable values for MEMBER_TYPE, see the IAM concepts page. For a list of acceptable values for ROLE, see Cloud Run IAM roles.

Bulk addition and removal of principals for jobs

To do a bulk add or remove for a job:

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the job you want to add principals to. (Don't click on the job itself.)

  3. Select the job you want to add principals to or remove principals from.

  4. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

If you want to add principals:

  1. Click Add principal.

  2. In the New principals textbox, enter one or more identities that need access to your service.

  3. From the Role dropdown menu, select a role (or roles) The roles you select appear in the pane with a short description of the permissions they grant.

  4. Click Save.

If you want to remove principals:

  1. Enter the principal you want to remove in the roles list filter, which displays all roles granted to that principal.

  2. Click the delete trash can next to the principal within the desired role to remove that role from the principal.

  3. In the confirmation dialog, you have the option to remove that principal from all roles in the job. Click Remove to remove the principal from the role.

gcloud

Create an IAM policy:

cat <<EOF > policy.json
{
  "bindings": [
    {
      "role": ROLE,
      "members": [
        MEMBER_TYPE
      ]
    }
  ]
}
EOF

Use the gcloud run jobs set-iam-policy command:

gcloud run jobs set-iam-policy JOB_NAME policy.json

For a list of acceptable values for MEMBER_TYPE, see the IAM concepts page. For a list of acceptable values for ROLE, see Cloud Run IAM roles.

View principals

You can view principals for services and jobs.

View principals for a service

To view principals for a service:

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the service you want to view for principals and roles. (Don't click on the service itself.)

  3. Select the service you want to view for principals and roles.

  4. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

  5. The list of roles and principals will be shown, grouped by role granted.

gcloud

Use the gcloud run services get-iam-policy command:

gcloud run services get-iam-policy SERVICE_NAME

View principals for a job

To view principals for a job:

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Click the checkbox at the left of the job you want to add principals to. (Don't click on the job itself.)

  3. Select the job you want to view for principals and roles.

  4. In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.

  5. The list of roles and principals will be shown, grouped by role granted.

gcloud

Use the gcloud run jobs get-iam-policy command:

gcloud run jobs get-iam-policy JOB_NAME

Control access on all services and jobs in a project

If you want to grant roles to principals on all services and jobs in a project, you can use project-level IAM.

Console UI

  1. Go to the Google Cloud console:

    Go to Google Cloud console

  2. Find the principal you want to grant a project-wide role.

  3. Click the edit Pencil on the right side of the principal's row.

  4. Click Add another role and pick the desired role.

  5. Click Save.

gcloud

Use the gcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER_TYPE \
  --role=ROLE

where MEMBER_TYPE is the principal type (e.g. user:email@domain.com), and ROLE is the role (e.g. roles/run.admin).

The allUsers and allAuthenticatedUsers principal types can't be applied at the project level, and instead must be added to each service individually.

Disable the Cloud Run Invoker for services

You can disable or re-enable the Cloud Run Invoker IAM check for any Cloud Run services. The check is enforced by default.

To disable or re-enable the Invoker IAM check on a service, you must have the following permissions:

  • run.services.create
  • run.services.update
  • run.services.setIamPolicy

These permissions are included in both the Owner and Cloud Run Admin roles. See Cloud Run IAM roles for the full list of roles and their associated permissions.

Disable the Cloud Run Invoker IAM check

  1. Override the organization policy constraint constraints/run.requireInvokerIam at the organization or project level as needed. You can use tags to set more granular rules for particular Cloud Run services.

    To remove the policy constraint from the Google Cloud console:

    1. Go to IAM

    2. Click the Organization Policies tab.

    3. Find the Allow Invoker IAM Disabled (Cloud Run) policy, and select Edit policy from the Actions menu.

    4. Ensure that the policy is configured to Not enforced.

    5. Click Set policy.

  2. Disable the check:

    Console

    1. Go to Cloud Run

    2. Click Create Service if you are configuring a new service, then fill out the initial service settings page as needed. If you are configuring an existing service, click the service, then click Security.

    3. Clear Use Cloud IAM to authenticate incoming requests.

    4. Click Create or Save.

    gcloud

    • Use the --no-invoker-iam-check flag:

      gcloud run deploy SERVICE_NAME --no-invoker-iam-check
      

      where SERVICE_NAME is the service name.

    YAML

    1. To view and download the configuration:

      gcloud run services describe SERVICE --format export > service.yaml
    2. Update the run.googleapis.com/invoker-iam-disabled: annotation:

      apiVersion: serving.knative.dev/v1
      kind: Service
      metadata:
         annotations:
            run.googleapis.com/invoker-iam-disabled: true
         name: SERVICE_NAME

      where SERVICE_NAME is the name of your Cloud Run service.

    3. Replace the service with its new configuration using the following command:

      gcloud run services replace service.yaml

Verify that the check is disabled after deployment by navigating to the service's HTTPS endpoint.

Re-enable the Cloud Run Invoker IAM check

To re-enable the check:

Console

  1. Go to Cloud Run

  2. Click the service, then click Security.

  3. Select Use Cloud IAM to authenticate incoming requests.

  4. Click Save.

gcloud

  • Update the service by passing the --invoker-iam-check flag:

    gcloud beta run services SERVICE_NAME --invoker-iam-check
    

    where SERVICE_NAME is the service name.

YAML

  1. To view and download the configuration:

    gcloud run services describe SERVICE --format export > service.yaml
  2. Update the run.googleapis.com/invokerIamCheckDisabled: annotation:

    apiVersion: serving.knative.dev/v1
     kind: Service
     metadata:
        annotations:
           run.googleapis.com/invokerIamCheckDisabled: false
        name: SERVICE_NAME

    where SERVICE_NAME is the name of your Cloud Run service.

Verify that the check is re-enabled after deployment by navigating to the service's HTTPS endpoint.

Next steps

Learn how to securely authenticate developers, services, and users to the services you just secured.