Starting April 29, 2025, Gemini 1.5 Pro and Gemini 1.5 Flash models are not available in projects that have no prior usage of these models, including new projects. For details, see Model versions and lifecycle.
Stay organized with collections
Save and categorize content based on your preferences.
This tutorial shows you how to deploy a generative AI app
to Cloud Run and secure it with Identity-Aware Proxy (IAP).
IAP provides a central authorization layer for HTTPS applications
deployed to Cloud Run. You can use IAP to adopt application-level or
organization-level access control policies instead of using network-level
firewalls.
Note that while it's also possible to use manual or third-party authentication
to secure an app deployed to Cloud Run, we recommend using
IAP for large volumes or multi-region traffic, to avoid
disruptions in the app serving.
In this tutorial, you deploy an app that makes calls to the Gemini API.
The app is based on the Streamlit framework.
Prerequisites
This tutorial assumes that you're able to use the following tools and frameworks:
Streamlit: Streamlit is an open source app
framework that lets you create and deploy data applications. It transforms data
scripts into web apps by using Python.
Git: For this tutorial, you use a Git repository to manage the source
code of your app. For more information about using Git, see the
Git documentation.
Google Cloud services
You must have a basic understanding of the following Google Cloud services:
Cloud Run: A managed compute platform that lets you deploy and
run container images. You create a Cloud Run service to deploy
your app. Learn more about Cloud Run.
Cloud Build: Executes your builds on Google Cloud.
For this tutorial, you set up an automatic
Cloud Build trigger to build and deploy your app
to Cloud Run whenever you push your commits to the Git repository.
Learn more about Cloud Build.
Cloud Load Balancing: Helps distribute traffic across multiple
instances of your app to achieve scalability. You create an
Application Load Balancer to distribute the traffic to the app backend instances
hosted on Cloud Run. Cloud Load Balancing is also a prerequisite for
IAP.
Learn more about Cloud Load Balancing.
Identity-Aware Proxy (IAP): You use IAP to create
a central authorization layer to secure the app. IAP makes
authentication and authorization checks that extend to linked Google Cloud
services. IAP also supports and seamlessly integrates with
Cloud Load Balancing, making it the most efficient security management option
for this tutorial.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Secure a generative AI app by using IAP\n\nThis tutorial shows you how to deploy a generative AI app\nto Cloud Run and secure it with Identity-Aware Proxy (IAP).\nIAP provides a central authorization layer for HTTPS applications\ndeployed to Cloud Run. You can use IAP to adopt application-level or\norganization-level access control policies instead of using network-level\nfirewalls.\n\nNote that while it's also possible to use manual or third-party authentication\nto secure an app deployed to Cloud Run, we recommend using\nIAP for large volumes or multi-region traffic, to avoid\ndisruptions in the app serving.\n\nIn this tutorial, you deploy an app that makes calls to the [Gemini API](/vertex-ai/generative-ai/docs/model-reference/inference).\nThe app is based on the Streamlit framework.\n\nPrerequisites\n-------------\n\nThis tutorial assumes that you're able to use the following tools and frameworks:\n\n- **Streamlit** : [Streamlit](https://streamlit.io/) is an open source app\n framework that lets you create and deploy data applications. It transforms data\n scripts into web apps by using Python.\n\n- **Git** : For this tutorial, you use a Git repository to manage the source\n code of your app. For more information about using Git, see the\n [Git documentation](https://git-scm.com/doc).\n\n### Google Cloud services\n\nYou must have a basic understanding of the following Google Cloud services:\n\n- **Generative AI on Vertex AI** : Provides access to Google's LLMs so you\n can test, tune, and deploy them for use in your applications.\n [Learn more about Generative AI on Vertex AI.](/vertex-ai/generative-ai/docs/overview)\n\n- **Cloud Run** : A managed compute platform that lets you deploy and\n run container images. You create a Cloud Run service to deploy\n your app. [Learn more about Cloud Run.](/run/docs/overview/what-is-cloud-run)\n\n- **Cloud Build** : Executes your builds on Google Cloud.\n For this tutorial, you set up an automatic\n [Cloud Build trigger](/build/docs/triggers) to build and deploy your app\n to Cloud Run whenever you push your commits to the Git repository.\n [Learn more about Cloud Build.](/build/docs/overview)\n\n- **Cloud Load Balancing** : Helps distribute traffic across multiple\n instances of your app to achieve scalability. You create an\n Application Load Balancer to distribute the traffic to the app backend instances\n hosted on Cloud Run. Cloud Load Balancing is also a prerequisite for\n IAP.\n [Learn more about Cloud Load Balancing.](/load-balancing/docs/load-balancing-overview)\n\n- **Identity-Aware Proxy (IAP)**: You use IAP to create\n a central authorization layer to secure the app. IAP makes\n authentication and authorization checks that extend to linked Google Cloud\n services. IAP also supports and seamlessly integrates with\n Cloud Load Balancing, making it the most efficient security management option\n for this tutorial.\n\n To learn more about IAP, see [Identity-Aware Proxy overview](/iap/docs/concepts-overview).\n\n To understand how\n IAP works with Cloud Run, see the\n [Cloud Run section of How IAP Works](/iap/docs/concepts-overview#how_iap_works).\n\n### Valid domain name\n\nAdditionally, you must have a valid domain name for provisioning a\ncertificate, which is required to configure the load balancer.\n\nTutorial pages\n--------------\n\nThis tutorial has the following pages:\n\n1. [Set up your project and source repository.](/vertex-ai/generative-ai/docs/streamlit/setup-environment)\n\n2. [Create a Cloud Run service.](/vertex-ai/generative-ai/docs/streamlit/create-cloudrun-service)\n\n3. [Create a load balancer.](/vertex-ai/generative-ai/docs/streamlit/create-loadbalancer)\n\n4. [Configure Identity-Aware Proxy (IAP).](/vertex-ai/generative-ai/docs/streamlit/configure-iap)\n\n5. [Test your IAP-secured app.](/vertex-ai/generative-ai/docs/streamlit/view-app)\n\n6. [Clean up your project.](/vertex-ai/generative-ai/docs/streamlit/clean-up)\n\nEach page assumes that you've already completed the instructions from the\nprevious pages of the tutorial."]]
