This page describes how to enable IAP from Cloud Run and
secure traffic bound for a Cloud Run service by routing to IAP
for authentication. By enabling IAP from Cloud Run, you
can route traffic with a single click from all ingress paths, including default
run.app URLs and load balancers.
Known limitations
- The project must be within an organization.
- Identities must be from within the same organization.
- You cannot configure IAP on both the load balancer and the Cloud Run service.
- Some integrations, such as Pub/Sub, might stop working if IAP is enabled.
Before you begin
- Enable the IAP API. 
Required roles
To get the permissions that you need to enable IAP, ask your administrator to grant you the following IAM roles:
- 
  
  
    
      Cloud Run Admin  (roles/run.admin) on the project
- 
            Grant access to the IAP-enabled service:
              
  
  
    
      IAP Policy Admin   (roles/iap.admin) on the project
- 
            Create an IAP-enabled service or update an existing service to enable IAP:
            - 
  
  
    
      Artifact Registry Reader  (roles/artifactregistry.reader) on the deployed container images
- 
  
  
    
      Service Account User  (roles/iam.serviceAccountUser) on the service identity
 
- 
  
  
    
      Artifact Registry Reader  (
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Enable IAP from Cloud Run
We recommend that you enable IAP directly from Cloud Run.
If you use both IAP and Identity and Access Management (IAM) on the same Cloud Run service, note the following conditions:
- Both the IAP and the IAM checks are performed. 
- The IAP check happens first and accepts or blocks requests based on the IAP configuration. 
- If the request passes the IAP check, IAP uses its own service account to authenticate to Cloud Run's IAM check. 
- Because the IAP check happens first, some services, such as Pub/Sub, might not authenticate correctly to it. 
Enable IAP from Cloud Run by using Google Cloud console, the Google Cloud CLI, or Terraform.
Console
When you enable IAP for Cloud Run, IAP
requires permissions to invoke your Cloud Run service. If you're
enabling IAP using the Google Cloud console, this permission is granted
automatically by assigning the Cloud Run Invoker role
(roles/run.invoker) to the IAP service agent.
To enable IAP from Cloud Run:
- In the Google Cloud console, go to the Cloud Run page: 
- If you're configuring and deploying a new service, select Deploy container and then Service. If you're configuring and deploying an existing service, click the service, then click Edit and deploy new revision. 
- If you're configuring a new service, fill out the initial service settings page as needed, then select Require authentication. Select Identity-Aware Proxy (IAP). 
- If you're configuring and deploying an existing service, click the service and then select Require authentication. Select Identity-Aware Proxy (IAP). 
- Click Edit policy to create a context-aware access policy: - Add one or more principals and, optionally, the access level that each principal is required to satisfy for application access. 
- Click Save. 
 
- Click Save. 
gcloud
To enable IAP directly from Cloud Run, add the --iap
flag when deploying your app and grant invoker permission to the IAP service
agent:
- Deploy your Cloud Run service using one of the following commands: - For a new service: - gcloud beta run deploy SERVICE_NAME \ --region=REGION \ --image=IMAGE_URL \ --no-allow-unauthenticated \ --iap - For an existing service: - gcloud beta run services update SERVICE_NAME \ --region=REGION \ --iap - Replace the following: - SERVICE_NAME: the name of your Cloud Run service.
- REGION: the name of your Cloud Run region.
For example, europe-west1.
- IMAGE_URL: a reference to the container image, for
example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.
- PROJECT_NUMBER: Your Google Cloud project number.
 
- Grant invoker permission to the IAP service agent: - gcloud run services add-iam-policy-binding SERVICE_NAME \ --region=REGION \ --member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-iap.iam.gserviceaccount.com \ --role=roles/run.invoker - Replace the following: - SERVICE_NAME: the name of your Cloud Run service.
- REGION: the name of your Cloud Run region.
For example, europe-west1.
- PROJECT_NUMBER: Your Google Cloud project number.
 
- To verify that your service is configured with IAP enabled, run the following command: - gcloud beta run services describe SERVICE_NAME - The output should contain the following string: - Iap Enabled: true 
You are now routing all traffic bound for the configured Cloud Run service to IAP for authentication before passing to the container.
Terraform
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
To enable IAP using Terraform, you must update your service definition and add an IAM policy binding to grant invoker permission to IAP.
- Add - iap_enabled = trueto a- google_cloud_run_v2_serviceresource in your Terraform configuration to enable IAP on the service:- resource "google_cloud_run_v2_service" "default" { provider = google-beta name = "cloudrun-iap-service" location = "europe-west1" ingress = "INGRESS_TRAFFIC_ALL" launch_stage = "BETA" iap_enabled = true template { containers { image = "us-docker.pkg.dev/cloudrun/container/hello" } } }
- Add the following to grant the - roles/run.invokerrole to the IAP service agent.- resource "google_cloud_run_v2_service_iam_member" "iap_invoker" { provider = google-beta project = google_cloud_run_v2_service.default.project location = google_cloud_run_v2_service.default.location name = google_cloud_run_v2_service.default.name role = "roles/run.invoker" member = "serviceAccount:service-"PROJECT_NUMBER@gcp-sa-iap.iam.gserviceaccount.com" }- Replace PROJECT_NUMBER with your project number. 
- Optional. To retrieve the current IAM policy data, add the following to a - google_cloud_run_v2_service_iam_policyresource in your Terraform configuration.- data "google_cloud_run_v2_service_iam_policy" "policy" { project = google_cloud_run_v2_service.default.project location = google_cloud_run_v2_service.default.location name = google_cloud_run_v2_service.default.name }
Disable IAP from Cloud Run
You can disable IAP by using the Google Cloud console or gcloud CLI.
Console
To disable IAP from Cloud Run:
- In the Google Cloud console, go to the Cloud Run page: 
- Click the existing service you want to modify. 
- Click Security and select Allow public access. 
- Click Save. 
gcloud
To disable IAP directly from Cloud Run, add the
--no-iap flag when deploying your app:
- Deploy your Cloud Run service using either of the following commands: - For a new service: - gcloud beta run deploy SERVICE_NAME \ --region=REGION \ --image=IMAGE_URL \ --no-iap - For an existing service: - gcloud beta run services update SERVICE_NAME \ --region=REGION \ --no-iap - Replace the following: - SERVICE_NAME: the name of your Cloud Run service.
- REGION: the name of your Cloud Run region.
- IMAGE_URL: a reference to the container image, for
example, us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry, the repository REPO_NAME must already be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.
 
- To verify that your service is no longer configured with IAP enabled, run the following command: - gcloud beta run services describe SERVICE_NAME - The output should no longer contain the following string: - Iap Enabled: true 
You are no longer routing all traffic bound for the configured Cloud Run service to IAP for authentication before passing to the container.
Manage user or group access
By default, IAP for Cloud Run uses in-organization identities with Google Accounts. You can add or remove access to a Cloud Run service by using the Google Cloud console or gcloud CLI.
Console
To add or remove access:
- In the Google Cloud console, go to the Cloud Run page: 
- Click the existing service you want to modify, and then click Security. 
- Under IAP, click Edit policy. 
- To add access, enter the principal and, optionally, the access level or levels that you want to add. 
- To remove access from an existing principal, click the Delete policy icon next to Access levels. 
- Click Save. 
gcloud
To add or remove access to a Cloud Run service for individual users or groups within your organization, run one of the following commands:
- To add access: - gcloud beta iap web add-iam-policy-binding \ --member=user:USER_EMAIL \ --role=roles/iap.httpsResourceAccessor \ --region=REGION \ --resource-type=cloud-run \ --service=SERVICE_NAME 
- To remove access: - gcloud beta iap web remove-iam-policy-binding \ --member=user:USER_EMAIL \ --role=roles/iap.httpsResourceAccessor \ --region=REGION \ --resource-type=cloud-run \ --service=SERVICE_NAME 
- To view access: - gcloud beta iap web get-iam-policy \ --region=REGION \ --resource-type=cloud-run \ --service=SERVICE_NAME 
Replace the following:
- USER_EMAIL: the user's email address.
- REGION: the name of your Cloud Run region.
- SERVICE_NAME: the name of your Cloud Run service.
Troubleshooting
Service Agent failure causes set IAM error
Enabling IAP on a new project for the first time can cause the following error:
Setting IAM permissions failedThis is because the Cloud Run Service Agent failed. To resolve the issue, either enable IAP again or set the IAM policy manually.
What's next
- For instructions on how to enable IAP from a backend service or load balancer, see Enabling IAP for Cloud Run.
- For issues with enabling IAP for Cloud Run, see Troubleshooting errors.
- Enabling external identities.
- Enabling OAuth configuration.
- Managing access to IAP-secured resources.
- Using organization policies to control IAP enablement.