Enabling IAP for Cloud Run

This page explains how to secure a Cloud Run service with Identity-Aware Proxy (IAP).

Known limitations

Cloud Run services with HTTP/2 enabled behind a classic Application Load Balancer that are secured with IAP encounter an infinite redirect loop upon request. Google recommends using a global external Application Load Balancer when using an HTTP/2-enabled service secured with IAP. See load balancer modes for more details.
IAP does not secure the domain that Cloud Run provides for a deployed service. To ensure that only IAP has permission to access the service, use IAM authentication on the Cloud Run service. To allow IAP to access the Cloud Run service, grant the IAP service account role service-[PROJECT_NUMBER]@gcp-sa-iap.iam.gserviceaccount.com with the Cloud Run Invoker role. IAP generates an ID token, and uses the token to authenticate to Cloud Run using the X-Serverless-Authorization header.
IAP authenticates to Cloud Run using the X-Serverless-Authorization header. Cloud Run passes this header to your service after stripping its signature. If your service is designed to forward the request to another Cloud Run service that requires IAM authentication, update your service to remove this header first.
IAP is incompatible with Cloud CDN.

Before you begin

To enable IAP for Cloud Run, you need the following:

A Google Cloud console project with billing enabled.
A group of one or more Cloud Run services, served by a load balancer.
- Learn about Setting up an external HTTPS load balancer.
- Learn about Setting up an internal HTTPS load balancer.
- A domain name registered to the address of your load balancer.
Application code to verify that all requests have an identity.
- Learn about Getting the user's identity.

IAP uses a Google-managed OAuth client to authenticate users. Only users within the organization can access the IAP-enabled application. If you want to allow access to users outside of your organization, see Enable IAP for external applications.

Enabling IAP

Console

The Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.

If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.

Setting up IAP access

Go to the Identity-Aware Proxy page.
Select the project you want to secure with IAP.
Under APPLICATIONS, select the checkbox next to the load balancer backend service to which you want to add members.
On the right side panel, click Add member.
In the Add members dialog, enter the accounts of groups or individuals who should have the IAP-secured Web App User role for the project. The following kinds of accounts can be members:
- Google Account: user@gmail.com - This can also be a Google Workspace account, such as user@google.com or some other workspace domain.
- Google Group: admins@googlegroups.com
- Service account: server@example.gserviceaccount.com
- Google Workspace domain: example.com
Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
Click Save.

Turning on IAP

On the IAP page, under APPLICATIONS, find the load balancer backend service to which you want to restrict access. To turn on IAP for a resource, click the IAP toggle. To enable IAP:
- At least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
- You need the compute.backendServices.update, clientauthconfig.clients.create, and clientauthconfig.clients.getWithSecret permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, see Managing access to IAP-secured resources.
In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.
Follow the instructions at Access control with IAM to authorize IAP to send traffic to the backend Cloud Run service.
- Principal: service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com
- Role: Cloud Run Invoker

gcloud

If you have not previously done so, create a service account by running the following command. If you previously created a service account, running the command does not create duplicate service accounts.
```
gcloud beta services identity create --service=iap.googleapis.com --project=[PROJECT_ID]
```

Grant the invoker permission to the service account, created in the previous step, by running the following command.

gcloud run services add-iam-policy-binding [SERVICE-NAME] \
--member='serviceAccount:service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com'  \
--role='roles/run.invoker'

Enable IAP by running either the globally or regionally scoped command, depending on whether your load balancer backend service is global or regional. Use the OAuth client ID and secret from the previous step.

Global scope
```
gcloud compute backend-services update BACKEND_SERVICE_NAME --global --iap=enabled
```
Regional scope
```
gcloud compute backend-services update BACKEND_SERVICE_NAME --region REGION_NAME --iap=enabled
```
Replace the following:
- BACKEND_SERVICE_NAME: the name of the backend service.
- REGION_NAME: the region in which you want to enable IAP.

After you enable IAP, you can use the Google Cloud CLI to manipulate an IAP access policy using the Identity and Access Management role roles/iap.httpsResourceAccessor. See Managing roles and permissions for more information.

Configuring Cloud Run to limit access

You can configure your Cloud Run service to only allow access for internal clients and the external load balancer, which blocks all direct requests from the public internet.

Follow the steps in Restricting ingress for Cloud Run to configure the ingress setting of your Cloud Run service to Internal and Cloud Load Balancing.

Troubleshooting errors

 The IAP service account is not provisioned

If you are seeing this error, you are trying to enable IAP on a Cloud Run service through the gcloud CLI. Setting up IAP through the gcloud CLI includes the additional step of provisioning a IAP service account in your project using the following command: gcloud beta services identity create --service=iap.googleapis.com --project=[PROJECT_ID]

 Your client does not have permission to get URL from this server

IAP uses the IAP service account permissions to invoke your Cloud Run service. Be sure that you have granted the Cloud Run Invoker role to the following service account: service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com .
If you have granted the Cloud Run Invoker role to the preceding service account and you are still facing this issue, redeploy your Cloud Run service.

IAP service account doesn't need `run.routes.invoke` permission

During the IAP with Cloud Run Preview, Cloud Run didn't perform the run.routes.invoke permission check for calls from IAP that use the Cloud Run Invoker role. With General Availability (GA), Cloud Run performs this permission check.

To avoid breaking changes, some customer projects that depended on this behavior during Preview were placed into an allowlist so that the permission wasn't checked. Contact Cloud Run support to remove such projects from the Preview-only allowlist.

What's next

To help set up IAP for Cloud Run with Terraform, explore a Terraform code sample.