Secure Cloud Run services
Stay organized with collections
Save and categorize content based on your preferences.
Create two services; one a public front end, the other a secure backend. Uses IAM policies to configure access.
Code sample
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],[],[],[],null,["# Secure Cloud Run services\n\nCreate two services; one a public front end, the other a secure backend. Uses IAM policies to configure access.\n\nCode sample\n-----------\n\n### Terraform\n\n\nTo learn how to apply or remove a Terraform configuration, see\n[Basic Terraform commands](/docs/terraform/basic-commands).\n\n\nFor more information, see the\n[Terraform provider reference documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs).\n\n resource \"google_cloud_run_v2_service\" \"renderer\" {\n name = \"renderer\"\n location = \"us-central1\"\n\n deletion_protection = false # set to \"true\" in production\n\n template {\n containers {\n # Replace with the URL of your Secure Services \u003e Renderer image.\n # gcr.io/\u003cPROJECT_ID\u003e/renderer\n image = \"us-docker.pkg.dev/cloudrun/container/hello\"\n }\n service_account = google_service_account.renderer.email\n }\n }\n\n resource \"google_cloud_run_v2_service\" \"editor\" {\n name = \"editor\"\n location = \"us-central1\"\n\n deletion_protection = false # set to \"true\" in production\n\n template {\n containers {\n # Replace with the URL of your Secure Services \u003e Editor image.\n # gcr.io/\u003cPROJECT_ID\u003e/editor\n image = \"us-docker.pkg.dev/cloudrun/container/hello\"\n env {\n name = \"EDITOR_UPSTREAM_RENDER_URL\"\n value = google_cloud_run_v2_service.renderer.uri\n }\n }\n service_account = google_service_account.editor.email\n\n }\n }\n\n resource \"google_service_account\" \"renderer\" {\n account_id = \"renderer-identity\"\n display_name = \"Service identity of the Renderer (Backend) service.\"\n }\n\n resource \"google_service_account\" \"editor\" {\n account_id = \"editor-identity\"\n display_name = \"Service identity of the Editor (Frontend) service.\"\n }\n\n resource \"google_cloud_run_service_iam_member\" \"editor_invokes_renderer\" {\n location = google_cloud_run_v2_service.renderer.location\n service = google_cloud_run_v2_service.renderer.name\n role = \"roles/run.invoker\"\n member = \"serviceAccount:${google_service_account.editor.email}\"\n }\n\n data \"google_iam_policy\" \"noauth\" {\n binding {\n role = \"roles/run.invoker\"\n members = [\n \"allUsers\",\n ]\n }\n }\n\n resource \"google_cloud_run_service_iam_policy\" \"noauth\" {\n location = google_cloud_run_v2_service.editor.location\n project = google_cloud_run_v2_service.editor.project\n service = google_cloud_run_v2_service.editor.name\n\n policy_data = data.google_iam_policy.noauth.policy_data\n }\n\n output \"backend_url\" {\n value = google_cloud_run_v2_service.renderer.uri\n }\n\n output \"frontend_url\" {\n value = google_cloud_run_v2_service.editor.uri\n }\n\nWhat's next\n-----------\n\n\nTo search and filter code samples for other Google Cloud products, see the\n[Google Cloud sample browser](/docs/samples?product=cloudrun)."]]
