https://pulumi.com logo
#google-cloud
Title
# google-cloud
c

colossal-tailor-72573

11/02/2023, 6:22 PM
Hello All -- just getting to know google cloud and pulumi. I'm not sure I understand how the cloudrunv2 iam stuff works. I'd like to allow unauthenticated users access to invoke a cloudrun service. I'm guessing I'm supposed to attach the "allUsers" to "roles/run.invoker" for the service. However, none of the service iam functions let you specify which service you're referring to. What am I missing? https://www.pulumi.com/registry/packages/gcp/api-docs/cloudrunv2/serviceiambinding/
f

full-eve-52536

11/02/2023, 6:28 PM
This is what I do in TypeScript:
Copy code
new gcp.cloudrun.IamBinding('idp-api-service-iam-binding', {
  location: gcpConfig.require('region'),
  service: idpApiCloudRunService.name,
  role: 'roles/run.invoker',
  members: ['allUsers'],
});
Adding that binding will ensure the CloudRun service allows unauthenticated user access.
I know that's not cloudrun V2, but it seems to work fine even though the service was created with cloudrunv2
c

colossal-tailor-72573

11/02/2023, 6:29 PM
Yeah -- I'm trying the go version of that now. But that is using the cloudrun package not the cloudrunv2 package
giving it a shot right now 🙂
That does indeed work! Thanks
g

glamorous-jelly-86558

11/02/2023, 10:19 PM
We got this to work for cloudrunv2 (TypeScript)
Copy code
// Create an IAM member to allow the service to be publicly accessible.
const apiNestInvoker = new gcp.cloudrunv2.ServiceIamBinding(
  'api-server-invoker',
  {
    role: 'roles/run.invoker',
    members: ['allUsers'],
    name: apiServerService.name,
    location: gcpRegion,
    project: projectNameAndId,
  },
);
c

colossal-tailor-72573

11/02/2023, 11:20 PM
I tried that before I used the cloudrun package. It doesn't even compile as the args don't have a name property
3 Views