[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[],[],null,["# Example of using identity groups and third-party identities in ingress and egress rules\n\nThis page shows how to [use identity groups and third-party identities in\ningress and egress rules](/vpc-service-controls/docs/configure-identity-groups).\n\nThis page contains the following example of using identity groups in ingress\nand egress rules:\n\n- Allow Cloud Run access to an identity group's members through the internet and to specific service accounts from an allowlisted IP address range.\n\nAllow Cloud Run access to an identity group's members and to specific service accounts\n--------------------------------------------------------------------------------------\n\nThe following diagram shows a user from a specific identity group and from the\nallowlisted IP address range accesses Cloud Run inside a service\nperimeter:\n**Figure 1.** An example of providing Cloud Run access using an identity group.\n\nConsider that you have defined the following service perimeter: \n\n```\nname: accessPolicies/222/servicePerimeters/Example\nstatus:\n resources:\n - projects/111\n restrictedServices:\n - run.googleapis.com\n - artifactregistry.googleapis.com\n vpcAccessibleServices:\n enableRestriction: true\n allowedServices:\n - RESTRICTED_SERVICES\ntitle: Example\n```\n\nTo find details about an existing service perimeter in your organization,\n[describe the service\nperimeter](/vpc-service-controls/docs/manage-service-perimeters#list-and-describe)\nusing the gcloud CLI command.\n\nIn this example, we also assume that you have defined the following resources:\n\n- An identity group called `allowed-users@example.com` that has users who you want to provide access to Cloud Run inside the perimeter.\n- An access level called `CorpDatacenters` in the same access policy as the service perimeter. `CorpDatacenters` includes an allowlisted IP address range of the corporate data centers where requests from service accounts can originate from.\n\nThe following ingress policy, `ingress.yaml`, allows Cloud Run\naccess to specific human accounts, who are part of the\n`allowed-users@example.com` group, and specific service accounts, that are\nlimited to the allowlisted IP address range: \n\n```\n- ingressFrom:\n identities:\n - serviceAccount:my-sa@my-project.iam.gserviceaccount.com\n sources:\n - accessLevel: accessPolicies/222/accessLevels/CorpDatacenters\n ingressTo:\n operations:\n - serviceName: run.googleapis.com\n methodSelectors:\n - method: \"*\"\n resources:\n - \"*\"\n- ingressFrom:\n identities:\n - group:allowed-users@example.com\n sources:\n - accessLevel: \"*\"\n ingressTo:\n operations:\n - serviceName: run.googleapis.com\n methodSelectors:\n - method: \"*\"\n resources:\n - \"*\"\n```\n\nTo apply the ingress rule, run the following command: \n\n```\ngcloud access-context-manager perimeters update Example --set-ingress-policies=ingress.yaml\n```\n\nWhat's next\n-----------\n\n- [Configure identity groups and third-party identities in ingress and egress rules](/vpc-service-controls/docs/configure-identity-groups)"]]
