Halaman ini berisi contoh berikut tentang penggunaan grup identitas dalam aturan masuk
dan keluar:
Izinkan akses Cloud Run ke anggota grup identitas melalui internet dan ke akun layanan tertentu dari rentang alamat IP yang diizinkan.
Mengizinkan Cloud Run mengakses anggota grup identitas dan akun layanan tertentu
Diagram berikut menunjukkan pengguna dari grup identitas tertentu dan dari
rentang alamat IP yang diizinkan mengakses Cloud Run di dalam perimeter
layanan:
Gambar 1. Contoh pemberian akses Cloud Run menggunakan grup identitas.
Pertimbangkan bahwa Anda telah menentukan perimeter layanan berikut:
Untuk menemukan detail tentang perimeter layanan yang ada di organisasi Anda,
deskripsikan perimeter
layanan
menggunakan perintah gcloud CLI.
Dalam contoh ini, kami juga mengasumsikan bahwa Anda telah menentukan resource berikut:
Grup identitas bernama allowed-users@example.com yang memiliki pengguna yang ingin Anda beri akses ke Cloud Run di dalam perimeter.
Tingkat akses yang disebut CorpDatacenters dalam kebijakan akses yang sama dengan
perimeter layanan. CorpDatacenters menyertakan rentang alamat IP yang diizinkan dari pusat data perusahaan tempat permintaan dari akun layanan dapat berasal.
Kebijakan masuk berikut, ingress.yaml, mengizinkan akses Cloud Run
ke akun pengguna tertentu, yang merupakan bagian dari
grup allowed-users@example.com, dan akun layanan tertentu, yang
dibatasi pada rentang alamat IP yang diizinkan:
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[],[],null,["# Example of using identity groups and third-party identities in ingress and egress rules\n\nThis page shows how to [use identity groups and third-party identities in\ningress and egress rules](/vpc-service-controls/docs/configure-identity-groups).\n\nThis page contains the following example of using identity groups in ingress\nand egress rules:\n\n- Allow Cloud Run access to an identity group's members through the internet and to specific service accounts from an allowlisted IP address range.\n\nAllow Cloud Run access to an identity group's members and to specific service accounts\n--------------------------------------------------------------------------------------\n\nThe following diagram shows a user from a specific identity group and from the\nallowlisted IP address range accesses Cloud Run inside a service\nperimeter:\n**Figure 1.** An example of providing Cloud Run access using an identity group.\n\nConsider that you have defined the following service perimeter: \n\n```\nname: accessPolicies/222/servicePerimeters/Example\nstatus:\n resources:\n - projects/111\n restrictedServices:\n - run.googleapis.com\n - artifactregistry.googleapis.com\n vpcAccessibleServices:\n enableRestriction: true\n allowedServices:\n - RESTRICTED_SERVICES\ntitle: Example\n```\n\nTo find details about an existing service perimeter in your organization,\n[describe the service\nperimeter](/vpc-service-controls/docs/manage-service-perimeters#list-and-describe)\nusing the gcloud CLI command.\n\nIn this example, we also assume that you have defined the following resources:\n\n- An identity group called `allowed-users@example.com` that has users who you want to provide access to Cloud Run inside the perimeter.\n- An access level called `CorpDatacenters` in the same access policy as the service perimeter. `CorpDatacenters` includes an allowlisted IP address range of the corporate data centers where requests from service accounts can originate from.\n\nThe following ingress policy, `ingress.yaml`, allows Cloud Run\naccess to specific human accounts, who are part of the\n`allowed-users@example.com` group, and specific service accounts, that are\nlimited to the allowlisted IP address range: \n\n```\n- ingressFrom:\n identities:\n - serviceAccount:my-sa@my-project.iam.gserviceaccount.com\n sources:\n - accessLevel: accessPolicies/222/accessLevels/CorpDatacenters\n ingressTo:\n operations:\n - serviceName: run.googleapis.com\n methodSelectors:\n - method: \"*\"\n resources:\n - \"*\"\n- ingressFrom:\n identities:\n - group:allowed-users@example.com\n sources:\n - accessLevel: \"*\"\n ingressTo:\n operations:\n - serviceName: run.googleapis.com\n methodSelectors:\n - method: \"*\"\n resources:\n - \"*\"\n```\n\nTo apply the ingress rule, run the following command: \n\n```\ngcloud access-context-manager perimeters update Example --set-ingress-policies=ingress.yaml\n```\n\nWhat's next\n-----------\n\n- [Configure identity groups and third-party identities in ingress and egress rules](/vpc-service-controls/docs/configure-identity-groups)"]]