This page shows how to use identity groups and third-party identities in ingress and egress rules. Using a third-party identity in ingress and egress rules is in Preview.
This page contains the following example of using identity groups in ingress and egress rules:
- Allow Cloud Run access to an identity group's members through the internet and to specific service accounts from an allowlisted IP address range.
Allow Cloud Run access to an identity group's members and to specific service accounts
The following diagram shows a user from a specific identity group and from the allowlisted IP address range accesses Cloud Run inside a service perimeter:
Consider that you have defined the following service perimeter:
name: accessPolicies/222/servicePerimeters/Example status: resources: - projects/111 restrictedServices: - run.googleapis.com - artifactregistry.googleapis.com vpcAccessibleServices: enableRestriction: true allowedServices: - RESTRICTED_SERVICES title: Example
To find details about an existing service perimeter in your organization, describe the service perimeter using the gcloud CLI command.
In this example, we also assume that you have defined the following resources:
- An identity group called
allowed-users@example.com
that has users who you want to provide access to Cloud Run inside the perimeter. - An access level called
CorpDatacenters
in the same access policy as the service perimeter.CorpDatacenters
includes an allowlisted IP address range of the corporate data centers where requests from service accounts can originate from.
The following ingress policy, ingress.yaml
, allows Cloud Run
access to specific human accounts, who are part of the
allowed-users@example.com
group, and specific service accounts, that are
limited to the allowlisted IP address range:
- ingressFrom: identities: - serviceAccount:my-sa@my-project.iam.gserviceaccount.com sources: - accessLevel: accessPolicies/222/accessLevels/CorpDatacenters ingressTo: operations: - serviceName: run.googleapis.com methodSelectors: - method: "*" resources: - "*" - ingressFrom: identities: - group:allowed-users@example.com sources: - accessLevel: "*" ingressTo: operations: - serviceName: run.googleapis.com methodSelectors: - method: "*" resources: - "*"
To apply the ingress rule, run the following command:
gcloud access-context-manager perimeters update Example --set-ingress-policies=ingress.yaml