Managing access via IAM

By default, only project owners and editors can create, update, delete, or invoke services, and only project owners and Cloud Run Admins can modify IAM policies (e.g. make a service public). Learn more about Cloud Run IAM Roles.

To grant other users or groups the ability to perform these actions, you can use Cloud Identity and Access Management (IAM) to grant roles to different members.

Controlling access on an individual service

If you want to control access on a per-service basis, you can use per-service IAM.

Making a service public

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the service you want to make public.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. In the Add members field, allUsers

  5. Select the Cloud Run Invoker role from the Select a role drop-down menu.

  6. Click Add.

GCloud

You can make a service publicly accessible by adding the special allUsers member type to a service and granting it the roles/run.invoker role:

  gcloud beta run services add-iam-policy-binding [SERVICE_NAME] \
    --member="allUsers" \
    --role="roles/run.invoker"

Additionally, when you deploy your service with the gcloud beta run deploy command, you can specify whether or not to make your service publicly accessible:

gcloud beta run deploy [SERVICE_NAME] ... --allow-unauthenticated

When creating a new service, you will be prompted if you want to "allow unauthenticated access." Answering yes will perform the actions above to make the service publicly available. Answering no will leave the service private.

Domain Restricted Sharing

If the project is subject to the Domain Restricted Sharing organization policy you will be unable to create public services. We recommend that you create all projects in a folder not subject to this restriction, and remove it on existing projects.

Adding users

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the service you want to add users to.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. In the Add members field, enter one or more identities that need access to your service.

  5. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  6. Click Add.

GCloud

Use the gcloud beta run services add-iam-policy-binding command:

gcloud beta run services add-iam-policy-binding SERVICE_NAME \
  --member=MEMBER_TYPE \
  --role=ROLE

where SERVICE_NAME is the service name, MEMBER_TYPE is the member type (e.g. user:email@domain.com), and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Run IAM Roles reference page.

Removing users

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the service you want to remove users from.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. Search for the user you want to remove, or expand a role the user has.

  5. Click the delete trash can next to the member type within the role to remove the role from the member.

GCloud

Use the gcloud beta run services remove-iam-policy-binding command:

  gcloud beta run services remove-iam-policy-binding SERVICE_NAME \
    --member=MEMBER_TYPE \
    --role=ROLE

where SERVICE_NAME is the service name, MEMBER_TYPE is the member type (e.g. user:email@domain.com), and ROLE is the role.

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Run IAM Roles reference page.

Bulk addition or removal of users

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the service you want to add users to or remove users from.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

If you want to add users:

  1. In the Add members field, enter multiple identities that need access to your service.

  2. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  3. Click Add.

If you want to remove users:

  1. Search for the user you want to remove, or expand a role the user has.

  2. Click the delete trash can next to the member type within the role to remove the role from the member.

GCloud

Create an IAM policy

cat <<EOF > policy.json
{
  "bindings": [
    {
      "role": ROLE,
      "members": [
        MEMBER_TYPE
      ]
    }
  ]
}
EOF

Use the gcloud beta run services set-iam-policy command:

gcloud beta run services set-iam-policy SERVICE_NAME policy.json

For a list of acceptable values for MEMBER_TYPE, see the Cloud IAM concepts page. For a list of acceptable values for ROLE, see the Cloud Run IAM Roles reference page.

Viewing users

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Select the service you want to view users and roles.

  3. Click Show Info Panel in the top right corner to show the Permissions tab.

  4. All users will be shown, grouped by role granted.

GCloud

Use the gcloud beta run services get-iam-policy command:

gcloud beta run services get-iam-policy SERVICE_NAME

Controlling access on all services in a project

If you want to grant roles to members on all services in a project, you can use project-level IAM.

Console UI

  1. Go to the Google Cloud Platform Console:

    Go to Google Cloud Platform Console

  2. Find the user you want to grant a project-wide role.

  3. Click the edit Pencil on the right side of the user's row.

  4. Click Add another role and pick the desired role.

  5. Click save.

GCloud

Use the gcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER_TYPE \
  --role=ROLE

where MEMBER_TYPE is the member type (e.g. user:email@domain.com), and ROLE is the role (e.g. roles/run.admin).

Next steps

Learn how to securely authenticate developers, services, and end-users to the services you just secured.

本頁內容對您是否有任何幫助?請提供意見:

傳送您對下列選項的寶貴意見...

這個網頁
Cloud Run Documentation