Configure Identity-Aware Proxy for Cloud Run

This page describes how to enable Identity-Aware Proxy from Cloud Run and secure traffic bound for a Cloud Run service by routing to IAP for authentication. By enabling IAP from Cloud Run, you can route traffic with a single click from all ingress paths, including default run.app URLs and load balancers.

Known limitations

  • The project must be within an organization.
  • Identities must be from within the same organization.
  • You cannot configure IAP on both the load balancer and the Cloud Run service.
  • Some integrations, such as Pub/Sub, might stop working if IAP is enabled.

Before you begin

Enable IAP from Cloud Run

You can enable IAP from Cloud Run.

If you use both IAP and IAM on the same Cloud Run service, note the following conditions:

  • Both the IAP and the IAM checks are performed.

  • The IAP check happens first and accepts or blocks requests based on the IAP configuration.

  • If the request passes the IAP check, IAP uses its own service account to authenticate to Cloud Run's IAM check.

  • Because the IAP check happens first, some services, such as Pub/Sub, might not authenticate correctly to it.

Enable IAP from Cloud Run by using Google Cloud console or Google Cloud CLI.

Console

To enable IAP from Cloud Run:

  1. In the Google Cloud console, go to the Cloud Run page:

    Go to Cloud Run

  2. If you are configuring a new service you are deploying to, select Deploy container > Service. If you are configuring and deploying an existing service, click the service, then click Edit and deploy new revision.

  3. If you are configuring a new service, fill out the initial service settings page as needed, then select Advanced authentication with Identity Aware Proxy (IAP).

  4. If you are configuring and deploying an existing service, click the service and then select Advanced authentication with Identity Aware Proxy (IAP).

  5. Click Edit policy to create a context-aware access policy:

    • Add one or more principals and, optionally, the access level that each principal is required to satisfy for application access.

    • Click Save.

  6. Click Save.

gcloud

To enable IAP directly from Cloud Run, add the --iap flag when deploying your app:

  1. Deploy your Cloud Run service using one of the following commands:

    For a new service:

    gcloud beta run deploy SERVICE_NAME \
    --region=REGION \
    --image=IMAGE_URL \
    --no-allow-unauthenticated \
    --iap

    For an existing service:

    gcloud beta run services update SERVICE_NAME \
    --region=REGION \
    --iap

    Replace:

    • SERVICE_NAME with the name of your Cloud Run service.
    • REGION with the name of your Cloud Run region.
    • IMAGE_URL with a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shape LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
  2. To verify that your service is configured with IAP enabled, run the following command:

    gcloud beta run services describe SERVICE_NAME \
      --region=REGION \
      --format=export

    The output should contain the following string:

    run.googleapis.com/iap-enabled: 'true'
    

You are now routing all traffic bound for the configured Cloud Run service to IAP for authentication before passing to the container.

Disable IAP from Cloud Run

You can disable IAP by using the Google Cloud console or Google Cloud CLI.

Console

To disable IAP from Cloud Run:

  1. In the Google Cloud console, go to the Cloud Run page:

    Go to Cloud Run

  2. Click the existing service you want to modify.

  3. Click Security and then clear Advanced authentication with Identity Aware Proxy (IAP).

  4. Click Save.

gcloud

To disable IAP directly from Cloud Run, add the --no-iap flag when deploying your app:

  1. Deploy your Cloud Run service using either of the following commands:

    For a new service:

    gcloud beta run deploy SERVICE_NAME \
    --region=REGION \
    --image=IMAGE_URL \
    --no-iap

    For an existing service:

    gcloud beta run services update SERVICE_NAME \
    --region=REGION \
    --no-iap

    Replace:

    • SERVICE_NAME with the name of your Cloud Run service.
    • REGION with the name of your Cloud Run region.
    • IMAGE_URL with a reference to the container image, for example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL has the shape LOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG
  2. To verify that your service is no longer configured with IAP enabled, run the following command:

    gcloud beta run services describe SERVICE_NAME \
      --region=REGION \
      --format=export

    The output should contain the following string:

    run.googleapis.com/iap-enabled: 'false'
    

You are no longer routing all traffic bound for the configured Cloud Run service to IAP for authentication before passing to the container.

Manage user or group access

By default, IAP for Cloud Run uses in-organization identities with Google Accounts. You can add or remove access to a Cloud Run service by using the Google Cloud console or Google Cloud CLI.

Console

To add or remove access:

  1. In the Google Cloud console, go to the Cloud Run page:

    Go to Cloud Run

  2. Click the existing service you want to modify, and then click Security.

  3. Under IAP, click Edit policy.

  4. To add access, enter the principal and, optionally, the access level or levels that you want to add.

  5. To remove access from an existing principal, click the Delete policy icon next to Access levels.

  6. Click Save.

gcloud

To add or remove access to a Cloud Run service for individual users or groups within your organization, run one of the following commands:

  • To add access:

    gcloud beta iap web add-iam-policy-binding \
    --member=user:USER_EMAIL \
    --role=roles/iap.httpsResourceAccessor \
    --region=REGION \
    --resource-type=cloud-run \
    --service=SERVICE_NAME
  • To remove access:

    gcloud beta iap web remove-iam-policy-binding \
    --member=user:USER_EMAIL \
    --role=roles/iap.httpsResourceAccessor \
    --region=REGION \
    --resource-type=cloud-run \
    --service=SERVICE_NAME

    Replace:

    • USER_EMAIL with the user's email address.
    • REGION with the name of your Cloud Run region.
    • SERVICE_NAME with the name of your Cloud Run service.

Troubleshooting

Service Agent failure causes set IAM error

Enabling IAP on a new project for the first time can cause the following error:

Setting IAM permissions failed

This is because the Cloud Run Service Agent failed. To resolve the issue, either enable IAP again or set the IAM policy manually.

What's next