gcloud alpha run instances add-iam-policy-binding

NAME

gcloud alpha run instances add-iam-policy-binding - add IAM policy binding to a Cloud Run instance

SYNOPSIS

gcloud alpha run instances add-iam-policy-binding INSTANCE --member=PRINCIPAL --role=ROLE [--region=REGION] [GCLOUD_WIDE_FLAG …]

DESCRIPTION

(ALPHA) Add an IAM policy binding to the IAM policy of a Cloud Run instance. One binding consists of a member, and a role.

EXAMPLES

To add an IAM policy binding for the role of 'roles/run.viewer' for the user 'test-user@gmail.com' with instance 'my-instance' and region 'us-central1', run:

gcloud alpha run instances add-iam-policy-binding my-instance --region='us-central1' --member='user:test-user@gmail.com' --role='roles/run.viewer'

See https://cloud.google.com/iam/docs/managing-policies for details of policy role and member types.

POSITIONAL ARGUMENTS

Instance resource - The instance for which to add IAM policy binding to. This represents a Cloud resource. (NOTE) Some attributes are not given arguments in this group but can be set in other ways.

To set the project attribute:

provide the argument instance on the command line with a fully specified name;
provide the argument --project on the command line;
set the property core/project.

To set the region attribute:

provide the argument instance on the command line with a fully specified name;
provide the argument --region on the command line;
set the property run/region;
specify from a list of available regions in a prompt.

This must be specified.

INSTANCE

ID of the instance or fully qualified identifier for the instance. To set the instance attribute:

provide the argument instance on the command line.

REQUIRED FLAGS

--member=PRINCIPAL

The principal to add the binding for. Should be of the form user|group|serviceAccount:email or domain:domain.

Examples: user:test-user@gmail.com, group:admins@example.com, serviceAccount:test123@example.domain.com, or domain:example.domain.com.

Some resources also accept the following special values:

allUsers - Special identifier that represents anyone who is on the internet, with or without a Google account.
allAuthenticatedUsers - Special identifier that represents anyone who is authenticated with a Google account or a service account.

--role=ROLE

Role name to assign to the principal. The role name is the complete path of a predefined role, such as roles/logging.viewer, or the role ID for a custom role, such as organizations/{ORGANIZATION_ID}/roles/logging.viewer.

OPTIONAL FLAGS

--region=REGION: Region in which the resource can be found. Alternatively, set the property [run/region].

GCLOUD WIDE FLAGS

These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.

Run $ gcloud help for details.

API REFERENCE

This command uses the run/v1 API. The full documentation for this API can be found at: https://cloud.google.com/run/

NOTES

This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-05-27 UTC.

gcloud alpha run instances add-iam-policy-binding Stay organized with collections Save and categorize content based on your preferences.

gcloud alpha run instances add-iam-policy-binding