Cloud run Invoke permissions

dumpalap · 02-19-2023 07:17 PM

Hi Team,

I have a scenario in relates to Cloud Run invoke access as below.

There are two GCP Projects as below

project a :

cloud run 1

cloud run 2

cloud run 3

project b:

cloud run 1

cloud run 2

cloud run 3

In my current set-up cloud runs in project "a" can invoke all the cloud runs inn project "b" as I have given the service account in project a with "Cloud Run Invoker" access

But I want to have a below restrictions :

Cloud Runs in project "a" should be able to invoke all the cloud runs in project "b" except "cloud run 3"

Do we have any out of the box implementations to incorporate this use case related to custom restrictions.

Please let me know in case of any question.

Regards,

Pradeep

kolban

I am sensing that, in project "B", you have defined a "Project" level IAM grant to your service account of "run.invoker". What this means is that ALL the Cloud Run instances that are owned by project "B" can be invoked to the service account. What I suspect you may want is to remove that configuration and then, on a Cloud Run service by service basis, define that the service account is allowed to invoke it. You can then choose which Cloud Run services can be invoked explicitly by the desired service account.

Another thought (but now discarded) was to use IAM Conditional rules. This says that you can define a rule at the project level which "conditionally" applies. Unfortunately, Cloud Run is not yet supported by IAM Conditional rules.

VishalBulbule

Hi @dumpalap

You can use Condition based IAM Policy.

https://cloud.google.com/iam/docs/conditions-overview