Limiting Access to GCP Resources with Google Identity and IAM

0
votes

I have been looking all day for a solution to this, and have yet to come up with anything... I assume this is probably fairly simple.

I have a Cloud Run instance, which I would like to secure using Google Identity. I have enabled Cloud Identity and added a test user, and have built a web application that logs a user in and out using Google Identity (Email/Password). This all works fine.

What I would like to do, is secure the Cloud Run instance to only accept requests from users logged in with Google Identity. All other requests will be blocked.

I believe that the solution lies somewhere within Cloud IAM and / or the Identity-Aware Proxy, but have yet to find a solution....

Any GCP experts out there who could help point me in the right direction?

1
google-cloud-platformgoogle-cloud-rungoogle-identity

1 Answers

1
votes

I agree with you, it's a must-have requirement and it's not simple. Actually, today, it's not possible directly and you have to add a layer that proxies your authenticated user with Cloud Identity and the Cloud Run protected by Cloud IAM (and Google Front End).

The solution today is to use Cloud Endpoint for this. I wrote an article to secure serverless product with API Keys. You just have to change the security definition with Firebase auth (Yes Firebase, because if you implemented a page that authenticates the users, you saw that the JS library is a Firebase lib!!)

So, things are moving, slowly, step by step. Yesterday, a feature has been added to the Global Load balancer to accept the serverless product (included Cloud Run). Weeks ago, AppEngine IAP accepts external identities. These are piece of a global picture. At the end, it will be possible to set IAP on the Global Load balancer and all will work together. As I said, step by step.