❯ Guillaume Laforge

Serverless tip #5 — How to invoke a secured Cloud Run service locally


  • an existing Google Cloud Platform account with a project
  • you have enabled the Cloud Run service and already deployed a container image
  • your local environment’s gcloud is already configured to point at your GCP project

By default, when you deploy a Cloud Run service, it is secured by default, unless you use the –allow-unauthenticated flag when using the gcloud command-line (or the appropriate checkbox on the Google Cloud Console).

But once deployed, if you want to call it locally from your development machine, for testing purpose, you’ll have to be authenticated.

If you look at the Cloud Console, alongside the URL of the service, you can hover the little icon next to the URL, and you’ll see the a pop-up showing how you can invoke that service with a curl command:

curl -H \
    "Authorization: Bearer $(gcloud auth print-identity-token)" \

Note how a bearer token generated by the gcloud command is passed as header to the curl request.

More information