Cloud Run User Auth for Internal Apps
Cloud Run is a managed compute platform that enables you to run stateless containers that are invocable via HTTP requests. It allows you to deploy and manage containerized applications without having to worry about the underlying infrastructure.
One important aspect of building internal applications on Cloud Run is user authentication. It’s crucial to ensure that only authorized users can access your application and its resources. In this article, we’ll explore how to implement user authentication for internal apps on Cloud Run.
Using Identity-Aware Proxy (IAP)
Google Cloud’s Identity-Aware Proxy (IAP) provides a simple and secure way to set up user authentication for your Cloud Run applications. With IAP, you can control access to your apps based on user identity and group membership.
To set up user authentication using IAP, you first need to enable IAP for your Cloud Run service in the Google Cloud Console. Once enabled, IAP will handle user authentication and authorization for your app, allowing you to focus on building your application logic.
Using Firebase Authentication
If you’re building a web or mobile application, you can also leverage Firebase Authentication to handle user authentication. Firebase Authentication provides easy-to-use SDKs and APIs to authenticate users and manage user sessions.
To use Firebase Authentication with Cloud Run, you can integrate the Firebase SDK into your application code and use it to authenticate and authorize users. Firebase Authentication supports various authentication methods, including email/password, phone number, and social media logins.
Custom Authentication Logic
If you have more complex authentication requirements, you can implement custom authentication logic in your Cloud Run application. You can use third-party authentication providers, such as OAuth or OpenID Connect, to authenticate users and manage their sessions.
Implementing custom authentication logic gives you full control over the authentication process and allows you to integrate with existing identity management systems within your organization.
Conclusion
Implementing user authentication for internal apps on Cloud Run is essential for ensuring the security and integrity of your applications and their data. Whether you choose to use Identity-Aware Proxy, Firebase Authentication, or custom authentication logic, it’s important to prioritize security and user access control when building internal apps on Cloud Run.
Subscribe to Google Cloud Tech → https://goo.gle/GoogleCloudTech
Very nice explanation!
One Q: Around the 9:00 mark when creating the oauth config you mentioned not needing any additional scopes. Can you point to the docs or an example of if you wanted to have an application using IAP and access GCS or other google cloud resources on behalf of the user (say to prompt a user for a source of data and let them browse their gcs buckets ) – how does the app take its authenticated user and parlay that into a google user id token to access downstream services?
Hi, I followed everything mentionned in this tutorial but when I want to access my Web App, I only get the "Forbidden" response… Which is normal since I'm never invited to authenticate, is there something I am missing ? :/
Followed all the steps mentioned. I believe the new URL won't work till the SSL certificates are setup? It is currently in pending state @googlecloudtech
I am not able to see my cloud run apps under IAP
I would like to verify my users on my website, hosted outside of Google, and then simply send a bearer token with them to my Cloud run service (in other words, google would not be involved in authenticating my users). is there a setting on Cloud run which permits access with only a bearer token?
@googlecloudruntech I cannot see cloud run in the IAP section
The video should say that it will cost extra $ 20/month.
Because IAP cannot be added without adding the load balancer, and the load balancer costs extra $ 20/month independently of how much you use the cloud run app.
This is very cool, however I found the video to be very patronising
I have multiple App Engine Services…. It looks like I can turn on IAP for the whole app engine but not for individual services.
IAP is very powerful. We used to utilize a custom VPN for this kind of access.
Hi Can I use IAP to access big query?
Everything worked out great. Only problem is, my users usually on their personal google account. After enable internal only, they will be blocked and see org_internal error screen (which is expected), but they don't have option to switch accounts. Is there a way to include a button in the consent screen to allow user to switch accounts?
Does this setup facilitate IAP validating a user, then based off that users credentials the Load Balancer routes them to their specific Cloud Run app?
IAP is a game changer. I wish other cloud providers would take note and do something similar! Well done Google!
Nice one Martin. Please look at making future videos with infra automation along with Console based set up as real world use cases are mostly using these
Advertising a Global Load Balancer for each internal service. This is insane ! Is google paying for the bill?
Nice 1:55