Stay organized with collections
Save and categorize content based on your preferences.
This page provides information and links for authenticating to the
Cloud Run Admin API. You can access the Cloud Run Admin API using the following methods:
Authentication varies by the environment that you run your
service in. Click a tab for instructions for your use case:
Google Cloud CLI
To authenticate a workload running on Google Cloud, use the credentials of the
service identity attached to the Cloud Run service by following these
steps:
Install the Google Cloud CLI, then initialize it using the following command:
When you make a REST request from the command line,
you can use your gcloud CLI credentials by including
gcloud auth print-access-token
as part of the command that sends the request.
The following example lists service accounts for the specified project. You can use the
same pattern for any REST request.
Before using any of the request data,
make the following replacements:
PROJECT_ID: Your Google Cloud project ID.
To send your request, expand one of these options:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Authenticate to Cloud Run Admin API\n\nThis page provides information and links for authenticating to the\nCloud Run Admin API. You can [access the Cloud Run Admin API](/run/docs/reference/cloud-run-admin-api-overview) using the following methods:\n\n- Google Cloud CLI\n- REST API\n- Cloud Client Libraries\n\nThis page doesn't cover authenticating to Cloud Run services. For that\ninformation, see\n[Authentication overview for Cloud Run services](/run/docs/authenticating/overview).\n\nAuthenticate to the Cloud Run Admin API\n---------------------------------------\n\nAuthentication varies by the environment that you run your\nservice in. Click a tab for instructions for your use case: \n\n### Google Cloud CLI\n\nTo authenticate a workload running on Google Cloud, use the credentials of the\n[service identity](/run/docs/securing/service-identity) attached to the Cloud Run service by following these\nsteps:\n\n1. Install the Google Cloud CLI, then initialize it using the following command: \n\n ```yaml\n gcloud init\n ```\n2. Set up authentication:\n\n 1. Create the service account:\n\n ```bash\n gcloud iam service-accounts create SERVICE_ACCOUNT_NAME\n ```\n Replace \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e with a name for the service account.\n\n \u003cbr /\u003e\n\n 2. Provide access to your project and your resources by granting a role to\n the service account:\n\n ```yaml\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \n\n --member=\"serviceAccount:\u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME@PROJECT_ID\u003c/var\u003e.iam.gserviceaccount.com\" \n\n --role=\u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e\n ```\n Replace the following:\n\n \u003cbr /\u003e\n\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e: the name of the service account\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID where you created the service account\n - \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the role required to access the Cloud Client Libraries.\n\n | **Note:** The `--role` flag determines the resources in your project that can be accessed by the service account. You can revoke these roles or grant additional roles later. In production environments, don't grant the Owner, Editor, or Viewer roles. Instead, grant a predefined role or custom role that meets your needs.\n 3. To grant another role to the service account, run the command as you did\n in the previous step.\n\n 4. Grant your Google Account a role that lets you use the service account\n roles and attach the service account to other resources:\n\n ```yaml\n gcloud iam service-accounts add-iam-policy-binding \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME@PROJECT_ID\u003c/var\u003e.iam.gserviceaccount.com \n\n --member=\"user:\u003cvar translate=\"no\"\u003eUSER_EMAIL\u003cvar translate=\"no\"\u003e\" --role=roles/iam.serviceAccountUser\u003c/var\u003e\u003c/var\u003e\n ```\n Replace the following:\n\n \u003cbr /\u003e\n\n - \u003cvar translate=\"no\"\u003eSERVICE_ACCOUNT_NAME\u003c/var\u003e: the name of the service account\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the project ID where you created the service account\n - \u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e: the email address for your Google Account\n3. Create the resource that will run your code, and attach the service account to that resource.\n\n### Local development\n\n\nYou can set up credentials for a local development environment in the following ways:\n\n- User credentials for client libraries or third-party tools\n- User credentials for REST requests from the command line\n\n #### Client libraries or third-party tools\n\n\n Set up\n [Application Default Credentials (ADC)](/docs/authentication/application-default-credentials)\n in your local environment:\n 1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n After installation,\n [initialize](/sdk/docs/initializing) the Google Cloud CLI by running the following command:\n\n ```bash\n gcloud init\n ```\n\n\n If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n 2.\n\n If you're using a local shell, then create local authentication credentials for your user\n account:\n\n ```bash\n gcloud auth application-default login\n ```\n\n You don't need to do this if you're using Cloud Shell.\n\n\n If an authentication error is returned, and you are using an external identity provider\n (IdP), confirm that you have\n [signed in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n\n A login screen is displayed. After you log in, your credentials\n are stored in the local credential file used by ADC.\n\n\n For more information, see\n [Set up ADC for a local development environment](/docs/authentication/set-up-adc-local-dev-environment).\n\n #### REST requests from the command line\n\n\n When you make a REST request from the command line,\n you can use your gcloud CLI credentials by including\n [`gcloud auth print-access-token`](/sdk/gcloud/reference/auth/print-access-token)\n as part of the command that sends the request.\n\n\n The following example lists service accounts for the specified project. You can use the\n same pattern for any REST request.\n\n\n Before using any of the request data,\n make the following replacements:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your Google Cloud project ID.\n\n To send your request, expand one of these options:\n\n #### curl (Linux, macOS, or Cloud Shell)\n\n\n Execute the following command:\n\n ```\n curl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts\"\n ```\n\n #### PowerShell (Windows)\n\n\n Execute the following command:\n\n ```\n $cred = gcloud auth print-access-token\n $headers = @{ \"Authorization\" = \"Bearer $cred\" }\n\n Invoke-WebRequest `\n -Method GET `\n -Headers $headers `\n -Uri \"https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts\" | Select-Object -Expand Content\n ```\n\n\n For more information about authenticating using REST and gRPC, see\n [Authenticate for using REST](/docs/authentication/rest).\n For information about the difference between your local ADC credentials and your\n gcloud CLI credentials, see\n [gcloud CLI credentials and ADC credentials](/docs/authentication/gcloud#gcloud-credentials).\n\n### On-prem/other cloud\n\nWe recommend that you use Workload Identity Federation to set up authentication\nfrom outside of Google Cloud. For more information, see\n[Set up ADC for on-premises or another cloud provider](/docs/authentication/set-up-adc-on-premises)."]]
