Using gcp cloudrun with iap
TypeScriptWhen you decide to use Google Cloud Run with Identity-Aware Proxy (IAP), you're essentially allowing your Cloud Run services to be accessed by authenticated users, enhancing security by controlling who can access your application. Using IAP means you can limit access to your services without writing any authentication code in your applications.
Here's an outline of how we'll accomplish this in Pulumi using TypeScript:
- We'll define a Google Cloud Run service.
- We'll configure an IAP policy to protect that service.
- We'll create an IAM member binding specific roles to IAP-secured resources.
In the provided code, you will see resources like
gcp.cloudrun.Service
,gcp.iap.Client
,gcp.cloudrun.IamPolicy
, and more. Each resource has specific roles and configurations that will be explained in the code comments.Below is the program that creates a Cloud Run service and configures IAP to protect that service:
import * as pulumi from "@pulumi/pulumi"; import * as gcp from "@pulumi/gcp"; // Creating a Cloud Run service // Link to the resource: https://www.pulumi.com/registry/packages/gcp/api-docs/cloudrun/service/ const cloudRunService = new gcp.cloudrun.Service("my-secured-cloudrun-service", { location: "us-central1", // specify the location where you want to run your service template: { spec: { containers: [{ image: "gcr.io/cloudrun/hello", // replace with your image path }], }, }, }); // Create an IAP Client id (oauth2 credentials) for the Cloud Run service // Link to the resource: https://www.pulumi.com/registry/packages/gcp/api-docs/iap/client/ const iapClient = new gcp.iap.Client("my-iap-client", { displayName: "My IAP Protected Service", // The brand identifies the type of authorization page shown to the user // By setting it to `projects/${gcp.config.project}/brands/${BRAND_ID}`, we can reuse the default brand provided by GCP // Replace `${BRAND_ID}` with the ID of your own brand resource if you have one brand: `projects/${gcp.config.project}/brands/${BRAND_ID}`, }); // Configure the IAP policy for the Cloud Run service to restrict access to authenticated users // Link to the resource: https://www.pulumi.com/registry/packages/gcp/api-docs/cloudrun/iampolicy/ const cloudRunIapPolicy = new gcp.cloudrun.IamPolicy("my-cloudrun-iap-policy", { location: "us-central1", // must be the same as the Cloud Run service location service: cloudRunService.name, policyData: pulumi.interleave(` { "bindings": [ { "role": "roles/run.invoker", "members": [ "user:example-user@gmail.com" // replace with actual user/email to allow access ] } ] } `), }); // Export the service URL export const url = cloudRunService.statuses.apply(s => s.url);
In this program:
- We've created a Cloud Run service using the
gcp.cloudrun.Service
component that details where the service will run and the Docker container image it will use. - Next, we've added an identity-aware proxy client using
gcp.iap.Client
. This creates OAuth2 credentials that you will need for users to authenticate. - Then, we've attached an IAM policy to our Cloud Run service using
gcp.cloudrun.IamPolicy
. This IAM policy specifies who is allowed to invoke the service. Here, we've given the roleroles/run.invoker
toexample-user@gmail.com
, which grants that user the ability to invoke the service.
Remember to replace
"gcr.io/cloudrun/hello"
with the path to your own container image andexample-user@gmail.com
with the email addresses of the users who should have access to the service.To solidify this setup, you need to:
- Ensure that the users or groups you have specified have been authenticated with Google and have the correct permissions.
- Configure your OAuth consent screen in GCP to specify the OAuth scopes and users who have permission to consent.
Lastly, we've exported the URL of the Cloud Run service, which you can use to access it once it's deployed and after you've authenticated through the Identity-Aware Proxy.
Make sure to update placeholders like
BRAND_ID
and email addresses with actual values before running this code.