Unable to add "allUsers" to IAM policy for Cloud Functions (v2) in a project with "No organization"

Hello,

I am facing an issue with my Google Cloud project: (PII Removed by Staff)

**Problem:**
I am trying to make a 2nd Gen Cloud Function publicly accessible. However, when I try to grant the “Cloud Run Invoker” role to “allUsers” in IAM, I get the following error:

“Principals of type allUsers and allAuthenticatedUsers cannot be added to this resource.”

**What’s strange:**
My project is listed as having “No organization” in the console. This error should typically only occur when an organization policy (like iam.allowedPolicyMemberDomains) is enforced, but I cannot view or edit any organization policies.

**What I have already checked:**

• A valid billing account is linked to the project.

• The following APIs are enabled: Vertex AI API, Cloud Run Admin API, Cloud Build API.

It seems my project is in an inconsistent state where it is being affected by an organization-like policy despite having “No organization”.

Could you please investigate why this restriction is being applied to my project and how I can resolve it to allow “allUsers”?

Thank you

Hello @Hello-omynameisKyoto

You don’t need to use IAM for that.

Instead, go to your cloud function and check that your CF is configured as follows:

• Networking > Ingress: Select “All” (Allow direct access to your service from the internet)

  

  Screenshot 2025-10-16 at 13.43.17536×338 21.3 KB

• Security > Authentication: Select “Allow public access” (No authentication checks will be performed)

  

  image604×193 12.8 KB

But, since you were not aware of that, I would tread carefully with such a configuration because it means that anyone from the outside could call your function, potentially generating costs and leading to a billing bomb.

Otherwise, I don’t see why you’re trying to use allUsers.

Feel free to tell me what you’re looking to achieve, and I will do my best to help you.