-
…in reply to @gropital
gropital KrisABraun googlecloud Cloud Run and Cloud Functions have a built-in IAM invoker permission, and Cloud Workflows need to be granted the permission to invoke them. The Ingress=Internal is an additional (and optional) layer of security that is indeed more "VPC bound".