Unauthenticated CloudRun with Deployment Manager

Question

I'm attempting to set a CloudRun container as publicly accessible with deployment manager. I'm hitting an error Parameter for gcpIamMemberBinding at position 1 is not of type map, value was [null]

I've set the Google APIs Service Agent to have role/owner, so it can't be a permission issue.

I've also tried adding metadata dependons:

'metadata': {
  'dependsOn': ['{}-cloudrun'.format(name)]
},

I can't really find any useful resources which demonstrate Deployment Manager with CloudRun and not being able to set the container as public is a show stopper at step 1.

Deployment Snippet

'name': '{}-cloudrun-policy'.format(name),
'type': 'gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding',
'properties': {
   'resource': 'projects/{}/locations/{}/services/{}'.format(project, region, name),
   'role': 'roles/run.invoker',
   'member': 'allUsers',
},

Full Error

InputMapping for field [policy] for method [setIamPolicy] could not be set from input, mapping was: [$.gcpIamMemberBinding($.intent, $.inputs.policy.response, $.resource.properties)], and evaluation context was:
...
...
...
Error was:
Parameter for gcpIamMemberBinding at position 1 is not of type map, value was [null]

Answer 1

Cloud Run supports two methods of supporting the role roles/run.invoker. The first is assigning an IAM policy to the project. The second method is assigning an IAM policy to the Cloud Run resource.

Your question is using the first method (which is not supported).

Google Cloud projects do not allow IAM policies (projects.setIamPolicy) with the members allUsers or allAuthentiatedUsers.

You can assign those identities directly to a Cloud Run resource (the second method).

However, Deployment Manager does not support Cloud Run. You will need to use another tool to assign an IAM policy to a Cloud Run resource.

To list the supported resource types: gcloud deployment-manager types list.