Identity Aware Proxy (IAP) is a facility GCP provides for easily adding authentication to your services.

Using With Cloud Run

Let’s assume you have a service running in Cloud Run. Internally a load balancer is used by Cloud Run to route traffic between different instances of your service.

graph LR;
    A[Client] -->|Request| B[Load Balancer];
    B -->|Routes to| C[Cloud Run Service Instance];

In the settings of your Cloud Run service, you can enable IAP. When you enable this, the load balancer will now authenticate incoming requests before routing them.

graph LR;
    A[Client] -->|Request| B[Load Balancer with IAP];
    B -->|Routes to| C[Cloud Run Service Instance];

If a request is unauthenticated, the load balancer (IAP) will respond with:

  • If client is a browser: HTTP 302 redirecting the user to a Google sign-in page (which has query parameters to redirect back to the original URL after sign-in).
  • If client is not a browser: HTTP 401 Unauthorized.

In the latter case (client is not a browser), client is expected to fill the Authorization header with a valid token.

You can generate a token by using the key associated with a service account that has the IAP-secured Web App User role (or another role with the iap.httpsResourceAccessor permission).

Using With Other Services

If you’re service is not running in Cloud Run, you can still enable IAP by placing your service behind google’s load balancer.

For example, if your service is running in a VM, you can enable a load balancer in front of it, and then enable IAP on that load balancer.

  • IAP can be used to enable authentication for your GCP services (like Cloud Run, Compute Engine, etc) without having to modify your application code.
  • If you are using Cloud Endpoints, enable auth there, you can’t use IAP (cloud endpoints API gateway has its own auth mechanism)

IAP is a quick and dirty way in GCP to add authentication to your services. For cloud run, just enable IAP in the console settings and it’ll be enabled in the load balancer. For other resources, first place them behind a GCP load balancer, and then enable IAP on that load balancer. For anything you want to grant access, just give the service account the IAP-secured Web App User role.