Example of using identity groups and third-party identities in ingress and egress rules

This page shows how to use identity groups and third-party identities in ingress and egress rules.

This page contains the following example of using identity groups in ingress and egress rules:

  • Allow Cloud Run access to an identity group's members through the internet and to specific service accounts from an allowlisted IP address range.

Allow Cloud Run access to an identity group's members and to specific service accounts

The following diagram shows a user from a specific identity group and from the allowlisted IP address range accesses Cloud Run inside a service perimeter:

Consider that you have defined the following service perimeter:

name: accessPolicies/222/servicePerimeters/Example
status:
  resources:
  - projects/111
  restrictedServices:
  - run.googleapis.com
  - artifactregistry.googleapis.com
  vpcAccessibleServices:
    enableRestriction: true
    allowedServices:
    - RESTRICTED_SERVICES
title: Example

To find details about an existing service perimeter in your organization, describe the service perimeter using the gcloud CLI command.

In this example, we also assume that you have defined the following resources:

  • An identity group called allowed-users@example.com that has users who you want to provide access to Cloud Run inside the perimeter.
  • An access level called CorpDatacenters in the same access policy as the service perimeter. CorpDatacenters includes an allowlisted IP address range of the corporate data centers where requests from service accounts can originate from.

The following ingress policy, ingress.yaml, allows Cloud Run access to specific human accounts, who are part of the allowed-users@example.com group, and specific service accounts, that are limited to the allowlisted IP address range:

- ingressFrom:
    identities:
    - serviceAccount:my-sa@my-project.iam.gserviceaccount.com
    sources:
    - accessLevel: accessPolicies/222/accessLevels/CorpDatacenters
  ingressTo:
    operations:
    - serviceName: run.googleapis.com
      methodSelectors:
      - method: "*"
    resources:
    - "*"
- ingressFrom:
    identities:
    - group:allowed-users@example.com
    sources:
    - accessLevel: "*"
  ingressTo:
    operations:
    - serviceName: run.googleapis.com
      methodSelectors:
      - method: "*"
    resources:
    - "*"

To apply the ingress rule, run the following command:

gcloud access-context-manager perimeters update Example --set-ingress-policies=ingress.yaml

What's next