If you are creating a new function, see the Console Quickstart on Cloud Run.

Authenticate for invocation

This document provides supplemental information on how to invoke functions created using the Cloud Functions v2 API—for example, using gcloud functions, the REST API, or Terraform. For detailed information and examples, see the Cloud Run Authenticate requests guides. The topics covered in the Cloud Run guides also apply to functions created using the Cloud Functions v2 API, since v2 functions also use the Cloud Run Invoker role (roles/run.invoker).

To invoke an authenticated function, the underlying principal must meet the following requirements:

Have permission to invoke the function.
Provide an ID token when it invokes the function.

Cloud Run functions supports two different kinds of identities, which are also called principals:

Service accounts: These are special accounts that serve as the identity of a non-person, like a function or an application or a VM. They give you a way to authenticate these non-persons.
User accounts: These accounts represent people, either as individual Google Account holders or as part of a Google-controlled entity like a Google Group.

See the IAM overview to learn more about basic IAM concepts.

To invoke an authenticated function, the principal must have the invoker IAM permission:

run.routes.invoke. This is usually through the Cloud Run Invoker role. This permission must be assigned on the Cloud Run service resource.

To grant these permissions, follow the steps in the Cloud Run Authenticating service-to-service guide.

For permission to create, update, or perform other administrative actions on a function, the principal must have an appropriate role. Roles include permissions that define the actions that the principal is allowed to do. See Using IAM to Authorize Access for more information.

Event-driven functions can only be invoked by the event source that they're subscribed to. HTTP functions, however, can be invoked by different identity types originating from different places, such as by a developer testing the function or by another service using the function. Identities must provide an ID token for authentication. The account in use must also have the appropriate permissions.