1. Answers
  2. Setting up domain-restricted sharing for Cloud Run services

How Do I Set Up Domain-Restricted Sharing for Cloud Run Services?

Introduction

This guide provides step-by-step instructions on how to set up domain-restricted sharing for a Google Cloud Run service using Pulumi. The goal is to create a Cloud Run service and configure Identity and Access Management (IAM) policies so that only users from a specified domain can access the service. This approach ensures your service is securely accessible only to authorized users within your organization or a trusted domain.

Step-by-Step Process

  1. Create a Cloud Run Service:

    • Use Pulumi to define and deploy a Cloud Run service. This involves specifying the service location and the container image that the service will run.

  2. Set Up IAM Policy:

    • Configure an IAM policy to restrict access to the Cloud Run service. This policy should specify that only members from a particular domain (e.g., example.com) have the role of roles/run.invoker, which allows them to invoke the service.

  3. Deploy with Pulumi:

    • Use Pulumi to manage and deploy the infrastructure, ensuring that the IAM policies are correctly applied and the service is securely set up.

Code

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Define the Cloud Run service
const cloudRunService = new gcp.cloudrun.Service("my-service", {
    location: "us-central1",
    template: {
        spec: {
            containers: [{
                image: "gcr.io/cloudrun/hello",
            }],
        },
    },
});

// Define the IAM policy to restrict access to a specific domain
const domainRestrictedIamPolicy = new gcp.cloudrun.IamPolicy("domain-restricted-policy", {
    location: cloudRunService.location,
    service: cloudRunService.name,
    policyData: pulumi.interpolate`{
        "bindings": [
            {
                "role": "roles/run.invoker",
                "members": [
                    "domain:example.com"
                ]
            }
        ]
    }`,
});

export const serviceUrl = cloudRunService.statuses.apply(statuses => statuses[0].url);

Summary

In this guide, we successfully set up a Google Cloud Run service with domain-restricted access using Pulumi. By configuring an IAM policy, we ensured that only users from the specified domain can invoke the service, enhancing the security and control over who can access your Cloud Run applications. This setup is crucial for maintaining the privacy and integrity of your cloud-based services.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up