Stay organized with collections
Save and categorize content based on your preferences.
Restrict new deployments by product version
Cloud Run functions offers two product versions:
Cloud Run functions (1st gen) and Cloud Run functions created through the
Google Cloud Functions v2 APIs. If your organization wants to enforce a
restriction specifying that only one of the versions can be used to deploy new
functions, you can define a new
organization policy
with the
constraintconstraints/cloudfunctions.restrictAllowedGenerations. You use this constraint
to specify the generation (version) you want to allow or deny in the folder or
project the policy is applied to.
The restriction will only apply to new functions being deployed for the first
time. You will still be able to redeploy existing functions even if they
don't comply with the policy.
You can use Google Cloud CLI to create a policy restricting new
Cloud Run functions from being deployed for the first time within a given
organization to the specified environment.
Note that setting a policy does not apply to existing functions. All functions
that were deployed before the policy can be redeployed, updated, or deleted
without restriction.
To create a policy that restricts new Cloud Run functions, run the following command:
where ORGANIZATION_NUMBER is the number of the
organization to which you want to apply the policy, and
VERSION is the Cloud Run functions version that must be
used for new deployments. VERSION can be one of the
following:
1stGen: Allow the use of Cloud Run functions (1st gen) only.
2ndGen: Allow the use of Cloud Run functions (2nd gen) only.
To explicitly allow both environments, specify 1stGen and 2ndGen
together. By default, both environments are allowed when no policy is set.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eCloud Run functions have two versions, 1st gen and 2nd gen, and organizations can restrict new deployments to a specific version using organization policies.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003econstraints/cloudfunctions.restrictAllowedGenerations\u003c/code\u003e constraint allows specifying which Cloud Run function version (1stGen or 2ndGen) can be used for new deployments within a folder or project.\u003c/p\u003e\n"],["\u003cp\u003eSetting this restriction only applies to new function deployments; existing functions can still be redeployed regardless of the policy.\u003c/p\u003e\n"],["\u003cp\u003eTo create or modify organization policies, the account must have the \u003ccode\u003eroles/orgpolicy.policyAdmin\u003c/code\u003e role.\u003c/p\u003e\n"],["\u003cp\u003eYou can use the Google Cloud CLI to enforce these restrictions by using the \u003ccode\u003egcloud resource-manager org-policies allow cloudfunctions.restrictAllowedGenerations\u003c/code\u003e command.\u003c/p\u003e\n"]]],[],null,["# Restrict new deployments by product version\n===========================================\n\n| **Note:** In this document, \"Cloud Run functions (2nd gen)\" refers to Cloud Run functions created with the Google Cloud Functions v2 APIs.\n\nCloud Run functions offers two product versions:\nCloud Run functions (1st gen) and Cloud Run functions created through the\nGoogle Cloud Functions v2 APIs. If your organization wants to enforce a\nrestriction specifying that only one of the versions can be used to deploy new\nfunctions, you can define a new\n[organization policy](/resource-manager/docs/organization-policy/overview)\nwith the\n[constraint](/resource-manager/docs/organization-policy/overview#constraints)\n`constraints/cloudfunctions.restrictAllowedGenerations`. You use this constraint\nto specify the generation (version) you want to allow or deny in the folder or\nproject the policy is applied to.\n\nThe restriction will only apply to new functions being deployed for the first\ntime. You will still be able to redeploy existing functions even if they\ndon't comply with the policy.\n\nBefore you begin\n----------------\n\nTo create or change organization policies, your account must have the\nrole\n[`roles/orgpolicy.policyAdmin`](/resource-manager/docs/organization-policy/using-constraints#required-roles).\n\nUse a policy to set and enforce restrictions\n--------------------------------------------\n\nYou can use Google Cloud CLI to create a policy restricting new\nCloud Run functions from being deployed for the first time within a given\norganization to the specified environment.\n\nNote that setting a policy does not apply to existing functions. All functions\nthat were deployed before the policy can be redeployed, updated, or deleted\nwithout restriction.\n\nTo create a policy that restricts new Cloud Run functions, run the following command: \n\n```bash\ngcloud resource-manager org-policies \\\n allow cloudfunctions.restrictAllowedGenerations \\\n --organization=ORGANIZATION_NUMBER VERSION\n```\n\nwhere \u003cvar translate=\"no\"\u003eORGANIZATION_NUMBER\u003c/var\u003e is the number of the\norganization to which you want to apply the policy, and\n\u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e is the Cloud Run functions version that must be\nused for new deployments. \u003cvar translate=\"no\"\u003eVERSION\u003c/var\u003e can be one of the\nfollowing:\n\n- `1stGen`: Allow the use of Cloud Run functions (1st gen) only.\n- `2ndGen`: Allow the use of Cloud Run functions (2nd gen) only.\n- To explicitly allow both environments, specify `1stGen` and `2ndGen` together. By default, both environments are allowed when no policy is set.\n\n| **Note:** you can also set the policy on a project or folder by replacing the `--organization` flag with `--project=\u003cPROJECT_ID\u003e` or \\`--folder= respectively."]]
