Marco Cassar
Templates by Marco Cassar
Securely call Google Cloud Run APIs with service account auth (main-workflow)
Who it’s for? Anyone who wants a simple, secure way to call a Google Cloud Run endpoint from n8n—without exposing it publicly. People who want a cheap/free-tier way to run custom API logic without hosting n8n or spinning up servers. Example: you’ve got scraping code that needs specific system/python libs—build it into a Dockerfile on Cloud Run, then call it as a secure endpoint from n8n. How it works This is a conjunctive workflow: the main workflow calls Service Auth (sub-workflow) to get a Google ID token, merges that auth with your context, then calls your Cloud Run URL with Authorization: Bearer <id_token>. Works great for single calls or looping over items. How to set up General instructions below—see my detailed guide for more info: Build a Secure Google Cloud Run API, Then Call It from n8n (Free Tier) Setup: Create a Cloud Run service and enable Require authentication (Cloud IAM). Create a Google Service Account and grant Cloud Run Invoker on that service. In n8n, import the workflows and update the Vars node (serviceurl, optional servicepath). Create a JWT (PEM) credential from your service account key, then run. Make sure to read the sticky notes in the workflows—they contain helpful pointers and optional configurations. Requirements Cloud Run service URL (auth required) Google Service Account with Cloud Run Invoker Private key JSON fields downloaded from Service Account | needed to generate JWT credentials How to customize Change the HTTP method/path/body in Cloud Run Request, or drop the Service Auth (sub-workflow) into other workflows to reuse the same auth pattern. More details Full write-up (minimal + modular flows), screenshots, and more: Build a Secure Google Cloud Run API, Then Call It from n8n (Free Tier) — by Marco Cassar
By Marco CassarAutomatic Google Cloud Run auth with JWT token management (sub-workflow)
Who it’s for? Anyone calling a Google Cloud Run service from n8n who wants a small, reusable auth layer instead of wiring tokens in every workflow. What it does / How it works This sub-workflow checks whether an incoming idtoken exists and is still valid (with a 5-minute buffer). If it’s good, it reuses it. If not, it signs a short-lived JWT with your service account, exchanges it at Google’s token endpoint, and returns a fresh idtoken. It also passes through serviceurl and an optional servicepath so the caller can hit the endpoint right away. (Designed to be called via Execute Workflow from your main flow.) How to set up Add your JWT (PEM) credential using the service account private_key. In Vars, set clientemail (from your key) and confirm tokenuri is https://oauth2.googleapis.com/token. Call this sub-workflow with serviceurl (and optional servicepath). Optionally include a prior id_token to enable reuse. Inputs / Outputs Inputs: idtoken (optional), serviceurl, service_path Outputs: idtoken, serviceurl, service_path Notes Built for loops: pair with a Merge/Split strategy to attach id_token to each item. Keep credentials in n8n Credentials (no keys in nodes). Full write-up and context: Build a Secure Google Cloud Run API, Then Call It from n8n (Free Tier) — by Marco Cassar
By Marco CassarSecurely call private Google Cloud Run APIs with JWT authentication (simplified)
Who it’s for? Anyone who wants a dead-simple, free-tier friendly way to run custom API logic on Google Cloud Run and call it securely from n8n—no public exposure, no local hosting. What it does Minimal flow: Set → JWT (sign) → HTTP (token exchange) → HTTP (call Cloud Run with Authorization: Bearer <id_token> ). No caching, no extras—just enough to authenticate and hit your endpoint. How to set up General instructions below—see my detailed guide for more info: Build a Secure Google Cloud Run API, Then Call It from n8n (Free Tier) Setup: Create a Cloud Run service and enable Require authentication (Cloud IAM). Create a Google Service Account with Cloud Run Invoker on that service. In n8n, set serviceurl, clientemail, token_uri (https://oauth2.googleapis.com/token) in Set. Create a JWT (PEM) credential from your service account key (paste the full BEGIN/END block). Run the workflow; the second HTTP node calls your Cloud Run URL with the ID token. Requirements Cloud Run service URL (auth required) Google Service Account with Cloud Run Invoker Private key JSON fields downloaded from Service Account | needed to generate JWT credentials More details Full write-up (minimal + modular versions): Build a Secure Google Cloud Run API, Then Call It from n8n (Free Tier)
By Marco Cassar