I'm trying to run a docker image on Cloud Run with the Terraform code below:
provider "google" {
credentials = file("myCredentials.json")
project = "myproject-214771"
region = "asia-northeast1"
}
resource "google_cloud_run_service" "default" {
name = "hello-world"
location = "asia-northeast1"
template {
spec {
containers {
image = "gcr.io/myproject-214771/hello-world:latest"
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
Then, it was successful to run the docker image:
But when I access the URL, it shows this:
Error: Forbidden Your client does not have permission to get URL / from this server
Are there any mistakes in my Terraform code?
Add(Copy & paste) this code below to your Terraform code to allow unauthenticated invocations for public API or website:
data "google_iam_policy" "noauth" {
binding {
role = "roles/run.invoker"
members = [
"allUsers",
]
}
}
resource "google_cloud_run_service_iam_policy" "noauth" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.noauth.policy_data
}
So this is the full code:
provider "google" {
credentials = file("myCredentials.json")
project = "myproject-214771"
region = "asia-northeast1"
}
resource "google_cloud_run_service" "default" {
name = "hello-world"
location = "asia-northeast1"
template {
spec {
containers {
image = "gcr.io/myproject-214771/hello-world:latest"
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
data "google_iam_policy" "noauth" {
binding {
role = "roles/run.invoker"
members = [
"allUsers",
]
}
}
resource "google_cloud_run_service_iam_policy" "noauth" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.noauth.policy_data
}
Finally, your URL shows your website properly:
Moreover, now "Authentication" is "Allow unauthenticated":
Don't forget to add the role "Cloud Run Admin" to your service account:
Otherwise, you cannot allow unauthenticated invocations for public API or website then you will get this error below:
Error setting IAM policy for cloudrun service "v1/projects/myproject-214771/locations/asia-northeast1/services/hello-world": googleapi: Error 403: Permission 'run.services.setIamPolicy' denied on resource 'projects/myproject-214771/locations/asia-northeast1/services/hello-world' (or resource may not exist).
Moreover, with these roles below, you cannot allow unauthenticated invocations for public API or website:
Only the role "Cloud Run Admin" can allow unauthenticated invocations for public API or website.