1. Introduction
Overview
This codelab walks you thorugh how to enable Identity-Aware Proxy from Cloud Run and secure traffic bound for a Cloud Run service by routing to IAP for authentication. By enabling IAP from Cloud Run, you can route traffic with a single click from all ingress paths, including default run.app URLs and load balancers.
In this codelab, you'll deploy the hello container service. Only users who have been allowlisted using IAP have access to the service.
For other known limitations, please check out the IAP on Cloud Run documentation.
What you'll learn
- How to enable one-click IAP for Cloud Run
- How to grant a user identity access to a Cloud Run service through IAP
2. Before you begin
Enable APIs
Before you can start using this codelab, enable the following APIs by running:
gcloud services enable \
artifactregistry.googleapis.com \
cloudbuild.googleapis.com \
iap.googleapis.com \
run.googleapis.com \
cloudresourcemanager.googleapis.com
3. Create environment variables
Set environment variables that will be used throughout this codelab
export PROJECT_ID=<YOUR_PROJECT_ID>
export REGION=<YOUR_REGION>
export SERVICE_NAME=iap-example
export SERVICE_ACCOUNT_NAME=iap-example-sa
export PROJECT_NUMBER=$(gcloud projects describe "${PROJECT_ID}" --format="value(projectNumber)")
4. Deploy a service with IAP enabled
Create the service account (used as the Cloud Run service identity) by running this command:
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME \
--display-name="IAP codelab CR identity"
Deploy the hello container image with IAP enabled.
gcloud beta run deploy ${SERVICE_NAME} \
--image=us-docker.pkg.dev/cloudrun/container/hello \
--region=${REGION} \
--service-account $SERVICE_ACCOUNT_NAME@${PROJECT_ID}.iam.gserviceaccount.com \
--no-allow-unauthenticated \
--iap
Note: if you try to access the application now, you will see the You don't have access
error page. In the next step, you will grant a user access through IAP.
5. Configure IAP Access Control
Create the IAP service agent.
gcloud beta services identity create --service=iap.googleapis.com --project=${PROJECT_ID}
Assign the role Cloud Run Invoker to the IAP service account
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
--member="serviceAccount:service-${PROJECT_NUMBER}@gcp-sa-iap.iam.gserviceaccount.com" \
--role="roles/run.invoker"
Grant a user access by allowing specific users or groups through IAP
EMAIL_ADDRESS=<YOUR_EMAIL>
gcloud beta iap web add-iam-policy-binding \
--resource-type=cloud-run \
--service=${SERVICE_NAME} \
--region=${REGION} \
--member=user:${EMAIL_ADDRESS} \
--role=roles/iap.httpsResourceAccessor \
--condition=None
Note: You can also use group:your-group@example.com in the member parameter if preferred.
6. Test the application
Verify access to the app
Get the URL for the example Cloud Run service.
gcloud run services describe ${SERVICE_NAME} --region ${REGION} --format 'value(status.url)'
Open the URL in your browser and you should see "It's Running! Congratulations, you successfully deployed a container image to Cloud Run"
Verify removing access to the app
You can remove your access to the app by running the following command.
gcloud beta iap web remove-iam-policy-binding \
--resource-type=cloud-run \
--service=${SERVICE_NAME} \
--region=${REGION} \
--member=user:${EMAIL_ADDRESS} \
--role=roles/iap.httpsResourceAccessor
Wait a few minutes for the IAM policy to propagate. Now try to open the URL in your browser and you'll see the You don't have access
error page.
7. Congratulations!
Congratulations for completing the codelab!
We recommend reviewing the Cloud Run IAP documentation.
What we've covered
- How to enable 1-click IAP for Cloud Run
- How to grant a user identity access to a Cloud Run service through IAP
8. Clean up
To avoid inadvertent charges, for example, if the Cloud Run services are inadvertently invoked more times than your monthly Cloud Run invokement allocation in the free tier, you can delete the Cloud Run service iap-example
you created in Step 6.
To delete the Cloud Run service, go to the Cloud Run Cloud Console at https://console.cloud.google.com/run and delete the iap-example
service.
To delete the entire project, go to Manage Resources, select your project, and choose Delete. If you delete the project, you'll need to change projects in your Cloud SDK. You can view the list of all available projects by running gcloud projects list
.