In addition to administrative actions such as creating, updating, and deletingservices, developers often want to test services privately before releasingthem. This option is for Cloud Run services and not Cloud Runjobs.

Before you start

Make sure you grant permissions to access the services you are authenticating to.You must grant the Cloud Run Invoker role to the developer or group ofdevelopers:

gcloudrunservicesadd-iam-policy-bindingSERVICE\--member='USER:EMAIL'\--role='roles/run.invoker'

resource"google_cloud_run_v2_service_iam_binding""binding"{project="PROJECT"location="LOCATION"name="SERVICE"role="roles/run.invoker"members=["user:EMAIL",]}

Test your private service

You can use the Cloud Run proxy orcurl to test your private service.

Use the Cloud Run proxy in Google Cloud CLI

The easiest way for you to test private services is to use theCloud Run proxy in Google Cloud CLI.This proxies the private service tohttp://localhost:8080(or to the port specified with--port),providing the token of the active account or another token you specify.This lets you use a web browser or a tool likecurl.This is the recommended way to test privately a website or API in your browser.

You can proxy a service locally using the following command line in a Linux,macOS,WSL (preferred),orcygwin environment:

gcloudrunservicesproxySERVICE--projectPROJECT-ID

Usecurl

Alternatively, you can test private services without the proxy by using a toollikecurl and by passing an auth token in theAuthorization header:

curl-H"Authorization: Bearer$(gcloudauthprint-identity-token)"SERVICE_URL

For thecurl command to work, you must pass a valid ID tokenfor a user with therun.routes.invoke permission, such as theCloud Run Admin orCloud Run Invoker. SeeCloud Run IAM Roles for the fulllist of roles and their associated permissions.

To get a valid ID token for the identity logged into the gcloud CLI,use thegcloud auth print-identity-tokencommand. You can use tokens created by the gcloud CLI to invoke HTTPrequests in any project, as long as your account has therun.routes.invokepermission on the service.

For development purposes, use gcloud CLI-generated ID tokens. However,note that such tokens lack an audience claim, which makes them susceptible toreplay attacks. In production environments, use ID tokens issued for a serviceaccount with the appropriate audience specified. This approach enhances securityby restricting token usage to the intended service only. For non-user accounts,useWorkforce Identity Federationto invoke your Cloud Run service so you don't have to download aservice account key.

When this document uses the termuser account, it refers to a Google Account, or a user account managed by your identity provider and federated withWorkforce Identity Federation.

You use the credentials provided by your user account to sign in to the tool.

We recommend that you allocate theminimum set ofpermissionsrequired to develop and use your services. Make sure that IAMpolicies on your services are limited to the minimum number of users andservice accounts.