This page describes how to enable Identity-Aware Proxy from Cloud Run and
secure traffic bound for a Cloud Run service by routing to IAP
for authentication. By enabling IAP from Cloud Run, you
can route traffic with a single click from all ingress paths, including default
run.app
URLs and load balancers.
Known limitations
- The project must be within an organization.
- Identities must be from within the same organization.
- You cannot configure IAP on both the load balancer and the Cloud Run service.
- Some integrations, such as Pub/Sub, might stop working if IAP is enabled.
Before you begin
Enable IAP from Cloud Run
You can enable IAP from Cloud Run.
If you use both IAP and IAM on the same Cloud Run service, note the following conditions:
Both the IAP and the IAM checks are performed.
The IAP check happens first and accepts or blocks requests based on the IAP configuration.
If the request passes the IAP check, IAP uses its own service account to authenticate to Cloud Run's IAM check.
Because the IAP check happens first, some services, such as Pub/Sub, might not authenticate correctly to it.
Enable IAP from Cloud Run by using Google Cloud console or Google Cloud CLI.
Console
To enable IAP from Cloud Run:
In the Google Cloud console, go to the Cloud Run page:
If you are configuring a new service you are deploying to, select Deploy container > Service. If you are configuring and deploying an existing service, click the service, then click Edit and deploy new revision.
If you are configuring a new service, fill out the initial service settings page as needed, then select Advanced authentication with Identity Aware Proxy (IAP).
If you are configuring and deploying an existing service, click the service and then select Advanced authentication with Identity Aware Proxy (IAP).
Click Edit policy to create a context-aware access policy:
Add one or more principals and, optionally, the access level that each principal is required to satisfy for application access.
Click Save.
Click Save.
gcloud
To enable IAP directly from Cloud Run, add the --iap
flag when deploying your app:
Deploy your Cloud Run service using one of the following commands:
For a new service:
gcloud beta run deploy SERVICE_NAME \ --region=REGION \ --image=IMAGE_URL \ --no-allow-unauthenticated \ --iap
For an existing service:
gcloud beta run services update SERVICE_NAME \ --region=REGION \ --iap
Replace:
- SERVICE_NAME with the name of your Cloud Run service.
- REGION with the name of your Cloud Run region.
- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
To verify that your service is configured with IAP enabled, run the following command:
gcloud beta run services describe SERVICE_NAME \ --region=REGION \ --format=export
The output should contain the following string:
run.googleapis.com/iap-enabled: 'true'
You are now routing all traffic bound for the configured Cloud Run service to IAP for authentication before passing to the container.
Disable IAP from Cloud Run
You can disable IAP by using the Google Cloud console or Google Cloud CLI.
Console
To disable IAP from Cloud Run:
In the Google Cloud console, go to the Cloud Run page:
Click the existing service you want to modify.
Click Security and then clear Advanced authentication with Identity Aware Proxy (IAP).
Click Save.
gcloud
To disable IAP directly from Cloud Run, add the
--no-iap
flag when deploying your app:
Deploy your Cloud Run service using either of the following commands:
For a new service:
gcloud beta run deploy SERVICE_NAME \ --region=REGION \ --image=IMAGE_URL \ --no-iap
For an existing service:
gcloud beta run services update SERVICE_NAME \ --region=REGION \ --no-iap
Replace:
- SERVICE_NAME with the name of your Cloud Run service.
- REGION with the name of your Cloud Run region.
- IMAGE_URL with a reference to the container image, for
example,
us-docker.pkg.dev/cloudrun/container/hello:latest
. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shapeLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
To verify that your service is no longer configured with IAP enabled, run the following command:
gcloud beta run services describe SERVICE_NAME \ --region=REGION \ --format=export
The output should contain the following string:
run.googleapis.com/iap-enabled: 'false'
You are no longer routing all traffic bound for the configured Cloud Run service to IAP for authentication before passing to the container.
Manage user or group access
By default, IAP for Cloud Run uses in-organization identities with Google Accounts. You can add or remove access to a Cloud Run service by using the Google Cloud console or Google Cloud CLI.
Console
To add or remove access:
In the Google Cloud console, go to the Cloud Run page:
Click the existing service you want to modify, and then click Security.
Under IAP, click Edit policy.
To add access, enter the principal and, optionally, the access level or levels that you want to add.
To remove access from an existing principal, click the Delete policy icon next to Access levels.
Click Save.
gcloud
To add or remove access to a Cloud Run service for individual users or groups within your organization, run one of the following commands:
To add access:
gcloud beta iap web add-iam-policy-binding \ --member=user:USER_EMAIL \ --role=roles/iap.httpsResourceAccessor \ --region=REGION \ --resource-type=cloud-run \ --service=SERVICE_NAME
To remove access:
gcloud beta iap web remove-iam-policy-binding \ --member=user:USER_EMAIL \ --role=roles/iap.httpsResourceAccessor \ --region=REGION \ --resource-type=cloud-run \ --service=SERVICE_NAME
Replace:
- USER_EMAIL with the user's email address.
- REGION with the name of your Cloud Run region.
- SERVICE_NAME with the name of your Cloud Run service.
Troubleshooting
Service Agent failure causes set IAM error
Enabling IAP on a new project for the first time can cause the following error:
Setting IAM permissions failed
This is because the Cloud Run Service Agent failed. To resolve the issue, either enable IAP again or set the IAM policy manually.
What's next
- For instructions on how to enable IAP with IAP from a backend service or load balancer, see Enabling IAP for Cloud Run.
- For issues with enabling IAP for Cloud Run, see Troubleshooting errors.
- Enabling external identities.
- Enabling OAuth configuration.
- Managing access to IAP-secured resources.
- Using organization policies to control IAP enablement.