diff --git a/cloudrun/manifest.yaml b/cloudrun/manifest.yaml
index b6466f5..dd32da3 100644
--- a/cloudrun/manifest.yaml
+++ b/cloudrun/manifest.yaml
@@ -52,3 +52,6 @@ inputs:
     description: "The ingress for this Service. Possible values are INGRESS_TRAFFIC_ALL, INGRESS_TRAFFIC_INTERNAL_ONLY, or INGRESS_TRAFFIC_INTERNAL_LOAD_BALANCER"
 
 outputs:
+  http_endpoint:
+    type: string
+    description: "HTTP endpoint URL for service-to-service communication"
diff --git a/cloudrun/module/main.tf b/cloudrun/module/main.tf
index 3df789e..d0e14da 100644
--- a/cloudrun/module/main.tf
+++ b/cloudrun/module/main.tf
@@ -158,11 +158,14 @@ resource "random_string" "service_id" {
   upper   = false
 }
 
-# Give all users permissions to execute the CloudRun service (is ingress only)
-resource "google_cloud_run_service_iam_member" "invoker" {
+# Grant service-to-service invoker permissions
+# Each service that needs to invoke this service gets the run.invoker role
+resource "google_cloud_run_service_iam_member" "service_invokers" {
+  for_each = var.suga.services
+
   project  = var.project_id
   service  = google_cloud_run_v2_service.service.name
   location = google_cloud_run_v2_service.service.location
   role     = "roles/run.invoker"
-  member   = "allUsers"
+  member   = "serviceAccount:${each.value.identities["gcp:iam:service_account"].exports["gcp_service_account:email"]}"
 }
\ No newline at end of file
diff --git a/cloudrun/module/outputs.tf b/cloudrun/module/outputs.tf
index e684c98..ec9d171 100644
--- a/cloudrun/module/outputs.tf
+++ b/cloudrun/module/outputs.tf
@@ -1,7 +1,8 @@
 output "suga" {
   value = {
-    id          = google_cloud_run_v2_service.service.name
-    domain_name = google_cloud_run_v2_service.service.uri
+    id            = google_cloud_run_v2_service.service.name
+    domain_name   = google_cloud_run_v2_service.service.uri
+    http_endpoint = google_cloud_run_v2_service.service.uri
     exports = {
       resources = {
         "google_cloud_run_v2_service" = google_cloud_run_v2_service.service.name
diff --git a/cloudrun/module/variables.tf b/cloudrun/module/variables.tf
index 321d75e..db4fd69 100644
--- a/cloudrun/module/variables.tf
+++ b/cloudrun/module/variables.tf
@@ -7,6 +7,12 @@ variable "suga" {
     identities = map(object({
       exports = map(string)
     }))
+    services = optional(map(object({
+      actions = list(string)
+      identities = map(object({
+        exports = map(string)
+      }))
+    })), {})
   })
 }