I followed the tutorial (how create public cloud run services when domain restricted sharing enforced ) that Damien S suggested in another post (Starting a docker container in Cloud Run ) and  was able to do everything as suggested with a slight modification. But when trying to grant the run.invoker permission to the allUsers identity for the tagged Cloud Run service it failed with the same error that the tutorial was first explaining how to conditionally work around.

I had to modify the the tag script that was supplied because it does not work and kept displaying an error message "ERROR: (gcloud.resource-manager.tags.bindings.create) PERMISSION_DENIED: The caller does not have permission. This command is authenticated as b@test.com which is the active account specified by the [core/account] property
- '@type': type.googleapis.com/google.rpc.ResourceInfo
description: permission [resourcemanager.tagValueBindings.create] required (or the
resource may not exist in this location)
resourceName: ORGANIZATION_ID/allUsersIngress/True" because apparently the tag syntax  from the time the article was put together was now obsolete.

Original:

gcloud resource-manager tags bindings create \
  --tag-value=ORGANIZATION_ID/allUsersIngress/True \
  --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \
  --location=REGION

Modified:

gcloud resource-manager tags bindings create \
  --tag-value=tagValues\ID  \
  --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \
  --location=REGION

At this point I have my Org and CloudRun tagged as expected and the conditional DRS Policy set using policy a file named drs-policy.yaml but still unable to grant the run.invoker permission to the allUsers identity for the tagged Cloud Run service.

Please advise.

Thanks in advance, Mario