This option is for a Cloud Run service that is a public API or website.
There are two ways to create a public Cloud Run service:
- Disable the Cloud Run InvokerIAM check (recommended).
- Assign the Cloud Run Invoker IAM role to the
allUsersmember type.
Disable the Cloud Run Invoker IAM check
The recommended way to make a public service is to disable the Cloud Run Invoker IAM check. The check is enforced by default. This is notably the solution if the project is subject to the domain restricted sharing constraint in an organization policy.
To disable or re-enable the Invoker IAM check on a service, you must have the following permissions:
run.services.createrun.services.updaterun.services.setIamPolicy
These permissions are included in both the Owner and Cloud Run Admin roles. See [Cloud Run IAM roles][1] for the full list of roles and their associated permissions.
Disable the Cloud Run Invoker IAM check
To disable the check:
Console
Click Create Service if you are configuring a new service, then fill out the initial service settings page as needed. If you are configuring an existing service, click the service, then click Security.
Clear Use IAM to authenticate incoming requests.
Click Create or Save.
gcloud
For a new service, use the
gcloud run deploycommand with the--no-invoker-iam-checkflag:gcloud run deploy SERVICE_NAME --no-invoker-iam-check
where
SERVICE_NAMEis the service name.For an existing service, use the
gcloud run services updatecommand with the--no-invoker-iam-checkflag:gcloud run services update SERVICE_NAME --no-invoker-iam-check
where
SERVICE_NAMEis the service name.
YAML
To view and download the configuration:
gcloud run services describe SERVICE --format export > service.yaml
Update the
run.googleapis.com/invoker-iam-disabled:annotation:apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/invoker-iam-disabled: true name: SERVICE_NAME
where SERVICE_NAME is the name of your Cloud Run service.
Replace the service with its new configuration using the following command:
gcloud run services replace service.yaml
Verify that the check is disabled after deployment by navigating to the service's HTTPS endpoint.
Re-enable the Cloud Run Invoker IAM check
To re-enable the check:
Console
Click the service, then click Security.
Select Use IAM to authenticate incoming requests.
Click Save.
gcloud
Update the service by passing the
--invoker-iam-checkflag:gcloud run services update SERVICE_NAME --invoker-iam-check
where
SERVICE_NAMEis the service name.
YAML
To view and download the configuration:
gcloud run services describe SERVICE --format export > service.yaml
Update the
run.googleapis.com/invoker-iam-disabled:annotation:apiVersion: serving.knative.dev/v1 kind: Service metadata: annotations: run.googleapis.com/invoker-iam-disabled: false name: SERVICE_NAME
where SERVICE_NAME is the name of your Cloud Run service.
Verify that the check is re-enabled after deployment by navigating to the service's HTTPS endpoint.
Configure organization policy for the Cloud Run invoker IAM check
If you're an administrator, you can restrict the ability to
disable the Invoker IAM check
by using the constraints/run.managed.requireInvokerIam managed constraint.
This constraint is not enforced by default.
Assign the Cloud Run IAM Invoker role to the allUsers member type
You can allow unauthenticated invocations to a service by assigning the
Cloud Run Invoker IAM role to the allUsers member type.
You must have the run.services.setIamPolicy permission to configure authentication
on a Cloud Run service. This permission is included in both the Owner and
Cloud Run Admin roles. See Cloud Run IAM roles
for the full list of roles and their associated permissions.
Console UI
For an existing Cloud Run service:
Go to the Google Cloud console:
Click the checkbox at the left of the service you want to make public. (Don't click the service itself.)
In the information pane in the top right corner click the Permissions tab. If the information pane isn't visible, you may need to click Show Info Panel, then click Permissions.
Click Add principal.
In the New principals field, enter the value allUsers
From the Role drop-down menu, select the Cloud Run Invoker role.
Click Save.
You will be prompted to verify that you would like to make this resource public. Click Allow public access to apply the change to the service IAM settings.
For a new service you are creating, create the service but make sure you select Allow unauthenticated invocations in the Authentication tab to make the service publicly available. Selecting Require authentication will make the service private.
gcloud
To make a service publicly accessible, use the gcloud run services command
to add the special allUsers member type to a service and grant it the
roles/run.invoker role:
gcloud run services add-iam-policy-binding [SERVICE_NAME] \ --member="allUsers" \ --role="roles/run.invoker"
Run the gcloud run deploy command to make your service
publicly accessible when you deploy your service:
gcloud run deploy [SERVICE_NAME] ... --allow-unauthenticated
YAML
Create a file named policy.yaml with the following content:
bindings:
- members:
- allUsers
role: roles/run.invoker
Allow unauthenticated invocations for the existing SERVICE using:
gcloud run services set-iam-policy SERVICE policy.yaml
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
Add the following to agoogle_cloud_run_v2_service
resource in your Terraform configuration:To update the service IAM binding for roles/run.invoker, add
the following resource referencing your Cloud Run service:
This binding is only authoritative for the given role. Other IAM bindings within the service IAM policy are preserved.