This page provides information and links for authenticating to the Cloud Run Admin API. You can access the Cloud Run Admin API using the following methods:
- Google Cloud CLI
- REST API
- Cloud Client Libraries
This page doesn't cover authenticating to Cloud Run services. For that information, see Authentication overview for Cloud Run services.
Authenticate to the Cloud Run Admin API
Authentication varies by the environment that you run your service in. Click a tab for instructions for your use case:
Google Cloud CLI
To authenticate a workload running on Google Cloud, use the credentials of the service identity attached to the Cloud Run service by following these steps:
- Install the Google Cloud CLI, then initialize it using the following command:
gcloud init
Set up authentication:
Create the service account:
Replace SERVICE_ACCOUNT_NAME with a name for the service account.gcloud iam service-accounts create SERVICE_ACCOUNT_NAME
Provide access to your project and your resources by granting a role to the service account:
Replace the following:gcloud projects add-iam-policy-binding PROJECT_ID
--member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com"
--role=ROLE- SERVICE_ACCOUNT_NAME: the name of the service account
- PROJECT_ID: the project ID where you created the service account
- ROLE: the role required to access the Cloud Client Libraries.
To grant another role to the service account, run the command as you did in the previous step.
Grant your account a role that lets you use the service account roles and attach the service account to other resources:
Replace the following:gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
--member="user:USER_EMAIL" --role=roles/iam.serviceAccountUser- SERVICE_ACCOUNT_NAME: the name of the service account
- PROJECT_ID: the project ID where you created the service account
- USER_EMAIL: the email address for your account
Create the resource that will run your code, and attach the service account to that resource.
Local development
You can set up credentials for a local development environment in the following ways:
- User credentials for client libraries or third-party tools
User credentials for REST requests from the command line
Client libraries or third-party tools
Set up Application Default Credentials (ADC) in your local environment:
-
Install the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:
gcloud init
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.
A login screen is displayed. After you log in, your credentials are stored in the local credential file used by ADC.
For more information, see Set up ADC for a local development environment.
REST requests from the command line
When you make a REST request from the command line, you can use your gcloud CLI credentials by including
gcloud auth print-access-token
as part of the command that sends the request.The following example lists service accounts for the specified project. You can use the same pattern for any REST request.
Before using any of the request data, make the following replacements:
- PROJECT_ID: Your Google Cloud project ID.
To send your request, expand one of these options:
For more information about authenticating using REST and gRPC, see Authenticate for using REST. For information about the difference between your local ADC credentials and your gcloud CLI credentials, see gcloud CLI credentials and ADC credentials.
-
On-prem/other cloud
We recommend that you use Workload Identity Federation to set up authentication from outside of Google Cloud. For more information, see Set up ADC for on-premises or another cloud provider.