How to restrict access to URL deployed through google cloud run?

Question

I have deployed an application through google cloud run. How can I restrict user access to the URL being accessed? I want only a particular set of users to be able to use the URL. Is there a way to do that?

Answer 1

There are many ways of restricting user access to Cloud Run:

1. Per-service IAM permissions: When deploying/editing a service you have the option to select "Allow only authenticated requests". This would basically do two things, one is restrict access to users listed within the IAM permissions list of the project. Secondly, you'd be able to give invocation permissions to email addresses and/or email domains. This option is particularly useful when the set of users accessing the app isn't big or when all they have an email under the same domain. Documentation here.

2. Firebase Authentication: When the user base have a variety of email domains and the service does some kind of "account registration" it may be useful going to a federated authentication service like Firebase Auth. It is almost a plug-and-play option that allows multitude of signing methods ranging from classical email&passw auth to Google or Github sign-in. One thing to note here is that you'd need to enable Firebase for the project and set up some code to make it work. This and the next option are listed in the Cloud Run documentation.

3. Identity Platform: This option is mostly the same as Firebase Auth, it provides several kinds of user authentication and a set of SDK to implement the process. Worth saying this is somewhat more complicated than Firebase Auth. Docs.

While all the approaches above might be used to accomplish your goal they differ in how authentication is done, what's needed to configure it, etc.. Therefore it is recommendable to evaluate the needs of the application to perform a meaningful comparison of pros/cons.

---

EDIT: As AhmetB pointed out Cloud IAP is still not available for Cloud Run. Leaving that part of the answer here:

4. Identity Aware Proxy: Identity aware proxy provides an authentication layer that roughly works as the per-service IAM permissions. Using this you'll have to grant access to emails/domain through the IAP settings. One differentiator of this option is that special Google provided headers are attached to each incoming request which can be used to obtain the email of the caller and to validate their authentication programmatically.

Answer 2

What you're looking for is "end-user authentication" which takes place in a human’s browser.

So, IAM is not going to help you solve that.

If you're looking to build an app with a "Google sign-in" button, you can follow the guide at https://cloud.google.com/run/docs/authenticating/end-users. But it will be up to you to verify the users’ authenticity (JWT tokens coming to you from Firebase auth) and to see if they are "authorized" to view that page.

If you are looking to have a "proxy" handle the authentication for you, you should use Cloud IAP, however at the time of writing, a Cloud Load Balancer with IAP enabled doesn't yet support Cloud Run. With IAP, you can say things like "this URL is accessible by these users/groups".

Another alternative is to run an open source proxy/middleware (similar to IAP), such as Pomerium.io, to handle authenticating users and proxying the traffic to actual backend. For this, see Authorizing end users in Cloud Run with Pomerium. This can provide more flexibility than Cloud IAP (e.g. support for non-Google identity providers).

Answer 3

First you will need to bring those users into your GCP organization. Add them as an member of your organisation. Their email id is sufficient to bring in organization. Next you can assign permission to view your cloud run. See steps to manage access at https://cloud.google.com/run/docs/securing/managing-access