Skip to content

Move Cloud Run public invoker access out of deploy script #3712

Description

@anth-volk

Problem

.github/scripts/deploy_cloud_run_candidate.sh currently deploys the staging Cloud Run candidate with --allow-unauthenticated. That flag does more than configure the revision: gcloud run deploy attempts to update the Cloud Run service IAM policy so unauthenticated callers can invoke the service.

That means every CI/CD deploy can attempt to mutate IAM, which is not the right responsibility for the deploy script and can fail if the deploy identity lacks IAM policy update permissions.

Proposed change

Remove --allow-unauthenticated from .github/scripts/deploy_cloud_run_candidate.sh and configure Cloud Run invoker access separately as infrastructure/bootstrap configuration. The Cloud Run service should have allUsers granted roles/run.invoker once, outside the normal deploy path, if public unauthenticated invocation is intended.

Acceptance criteria

  • deploy_cloud_run_candidate.sh no longer passes --allow-unauthenticated to gcloud run deploy.
  • Cloud Run invoker access is documented or configured through the proper infrastructure/bootstrap pathway.
  • CI/CD can deploy tagged no-traffic Cloud Run staging candidates without needing IAM policy update permissions.
  • The existing Cloud Run staging health/integration checks still work against the tagged candidate URL.

Context

This came up while reviewing the Stage 3 Cloud Run staging deployment path. The deploy script should deploy images, revisions, tags, env vars, and secrets; IAM access should be managed separately.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions