If you are creating a new function, see the Console Quickstart on Cloud Run. The content on this page only applies to existing legacy functions created with the Cloud Functions v1 API.
Stay organized with collections
Save and categorize content based on your preferences.
Restrict new deployments by product version
Cloud Run functions offers two product versions:
Cloud Run functions (1st gen), the original version, and
Cloud Run functions (formerly known as 2nd gen). If your organization wants to
enforce a restriction specifying that only one of the versions can be used to
deploy new functions you can define a new
organization policy
with the
constraintconstraints/cloudfunctions.restrictAllowedGenerations. You use this constraint
to specify the generation (version) you want to allow or deny in the folder or
project the policy is applied to.
The restriction will only apply to new functions being deployed for the first
time. You will still be able to redeploy existing functions even if they
don't comply with the policy.
You can use Google Cloud CLI or Google Cloud console to create a policy that
restricts new Cloud Run functions that are deployed for the first time
within a given organization to the specified environment.
Note that setting a policy does not apply to existing functions. All functions
that were deployed before the policy can be redeployed, updated, or deleted
without restriction.
where ORGANIZATION_NUMBER is the number of the
organization to which you want to apply the policy, and
VERSION is the Cloud Run functions version that must be
used for new deployments. VERSION can be one of the
following:
1stGen: Allow the use of Cloud Run functions (1st gen) only.
2ndGen: Allow the use of Cloud Run functions (2nd gen) only.
To explicitly allow both environments, specify 1stGen and 2ndGen
together. By default, both environments are allowed when no policy is set.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eYou can restrict new Cloud Run function deployments to specific versions (1st gen or 2nd gen) using organization policies.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003econstraints/cloudfunctions.restrictAllowedGenerations\u003c/code\u003e constraint is used to specify the allowed Cloud Run function version for new deployments within a project, folder, or organization.\u003c/p\u003e\n"],["\u003cp\u003eOrganization policy changes only affect new function deployments; existing functions can still be redeployed, updated, or deleted regardless of the policy.\u003c/p\u003e\n"],["\u003cp\u003eYou need the \u003ccode\u003eroles/orgpolicy.policyAdmin\u003c/code\u003e role to create or modify organization policies that allow you to set such restrictions.\u003c/p\u003e\n"],["\u003cp\u003eYou can apply these restrictions via the Google Cloud console or the Google Cloud CLI, selecting either \u003ccode\u003e1stGen\u003c/code\u003e or \u003ccode\u003e2ndGen\u003c/code\u003e or both to set your constraint.\u003c/p\u003e\n"]]],[],null,["# Restrict new deployments by product version\n===========================================\n\nCloud Run functions offers two product versions:\nCloud Run functions (1st gen), the original version, and\nCloud Run functions (formerly known as 2nd gen). If your organization wants to\nenforce a restriction specifying that only one of the versions can be used to\ndeploy new functions you can define a new\n[organization policy](/resource-manager/docs/organization-policy/overview)\nwith the\n[constraint](/resource-manager/docs/organization-policy/overview#constraints)\n`constraints/cloudfunctions.restrictAllowedGenerations`. You use this constraint\nto specify the generation (version) you want to allow or deny in the folder or\nproject the policy is applied to.\n\nThe restriction will only apply to new functions being deployed for the first\ntime. You will still be able to redeploy existing functions even if they\ndon't comply with the policy.\n\nBefore you begin\n----------------\n\nTo create or change organization policies, your account must have the\nrole\n[`roles/orgpolicy.policyAdmin`](/resource-manager/docs/organization-policy/using-constraints#required-roles).\n\nUse a policy to set and enforce restrictions\n--------------------------------------------\n\nYou can use Google Cloud CLI or Google Cloud console to create a policy that\nrestricts new Cloud Run functions that are deployed for the first time\nwithin a given organization to the specified environment.\n\nNote that setting a policy does not apply to existing functions. All functions\nthat were deployed before the policy can be redeployed, updated, or deleted\nwithout restriction. \n\n### Console\n\n1. Go to the Organization policies page in the Google Cloud console.\n\n [Go to the Organization policies page](https://console.cloud.google.com/projectselector/iam-admin/orgpolicies?supportedpurview=project,folder,organizationId)\n\n2. Select the project, folder, or organization for which you want to add the\n new policy.\n\n The Organization policies page displays a list of the available\n organization policy constraints.\n3. Find the **Allowed Cloud Functions Generations** policy in the list. You\n can use the **Filter** field at the top of the list.\n\n4. Click the name of the policy. Alternatively, you can select **Edit Policy**\n from the context menu.\n\n5. Click **Manage Policy**.\n\n6. Select **Customize** under **Applies to**.\n\n7. Select **Replace** under **Policy enforcement**.\n\n8. Click **Add Rule** under **Rules**.\n\n9. Select **Custom** for **Policy Values**.\n\n10. Select **Allow** for **Policy Type**.\n\n11. In **Custom Value** specify the environment that you want to enforce in the\n organization. Supported values:\n\n - `1stGen`: Allow the use of Cloud Run functions (1st gen) only.\n - `2ndGen`: Allow the use of Cloud Run functions (formerly 2nd gen) only.\n - To explicitly allow both environments, specify `1stGen` and `2ndGen` together. By default, both environments are allowed when no policy is set.\n12. Click **Done**.\n\n13. Click **Save**.\n\nThe changes will take effect shortly, and the policy will prevent\nthe deployment of Cloud Run functions in the specified environment.\n\n### gcloud\n\nRun the following command: \n\n```bash\ngcloud resource-manager org-policies \\\nallow cloudfunctions.restrictAllowedGenerations \\\n--organization=ORGANIZATION_NUMBER VERSION\n```\n\nwhere \u003cvar translate=\"no\"\u003eORGANIZATION_NUMBER\u003c/var\u003e is the number of the\norganization to which you want to apply the policy, and\n\u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e is the Cloud Run functions version that must be\nused for new deployments. \u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e can be one of the\nfollowing:\n\n- `1stGen`: Allow the use of Cloud Run functions (1st gen) only.\n- `2ndGen`: Allow the use of Cloud Run functions (2nd gen) only.\n- To explicitly allow both environments, specify `1stGen` and `2ndGen` together. By default, both environments are allowed when no policy is set.\n\n| **Note:** you can also set the policy on a project or folder by replacing the `--organization` flag with `--project=\u003cPROJECT_ID\u003e` or \\`--folder= respectively."]]
