Cloud Run with IAP
HTML-код
- Опубликовано: 22 окт 2024
- Today, as promised, I'll explore the intricacies of combining Cloud Run with IAP. However, rather than guiding you through the complete setup - which you can find well-documented at cloud.google.c... I'll shift my focus towards a diagrammatic representation of the process. I'll pinpoint and elaborate on five particularly challenging aspects of this setup that arise primarily due to the inclusion of a Load Balancer, which adds a level of complexity not found in a traditional App Engine setup. To wrap up, I'll share my understanding of why incorporating a Load Balancer is crucial as opposed to adhering to the conventional App Engine setup. My hope is that this exploration will not only streamline your setup process but also arm you with the knowledge to build secure and powerful IAP-integrated applications on Cloud Run.
00:57 - Table of Contents
02:04 - The steps involved to enable IAP on Cloud Run
04:28 - Explaining it in a diagram
08:41 - Troubleshooting
09:11 - Coud Armor whitelisting
10:50 - Authorized redirect URIs
12:04 - Cloud Run Ingress rules
12:59 - Cloud Run Invoker grant to the Google SA
14:06 - Grant IAP Web App User role at project level
15:01 - Demo
16:56 - Why it needs an Load Balancer
20:54 - Summary
Simply the best (and only) clear explanation of how this works. Thank you very much.
Glad it helped!
This is absolutely fantastic! Keep making more videos please! I love the full demonstration of all of these different topics in your videos.
Glad you found it useful! It’s important with more teams and engineers understand how to make good use of these services without wasting time on the same thing over and over again. Sharing is 🔑
I’m super glad I found your channel on RUclips. I love your content and the way you are going through examples. Can’t wait for next videos! Cheers!
Thank you for the kind words! Believe or not compliments like yours are what kept me going and doing this :) glad you are able to benefit from my content.
This is really an amazing video. especially the trouble shooting part. very clear😊 Love it!!
Glad it helped!
I like this video, it is the most informational and practical video for the topic IAP. Thanks for sharing
Glad it was helpful!
Thank you for this great video. It added a lot to my understanding of this subject!
You are welcome ❤
Thanks for the video. We have performed all the steps like client id,secret generation, redirect URL addition, IAP enablement using client ID and secret for the backend service, IAP service account creation, cloud run invoker and IAP web app secure user roles addition to it. .. However, even after doing all these steps, the issue we are having is that the backend service is "not appearing " in the APPLICATIONS tab of the IAP page in the console. This looks like a strange issue never seen in any of the IAP videos/articles. Can you please suggest what could have gone wrong from our end. Also, one more input to you is that we have the Load balancer in host project and backend service in service project (if that matters)
Thanks a lot, Great Video. Can you Please tell me which video recording/editing tool is being used?
Thank you 🙏 I use Camtasia
Amazing explanation! However, I have a doubt regarding the use of OAuth 2.0 creds in this whole setup. Does the OAuth client ID represent the backend service here, which is delegating authentication to IAP?
Thank you and I don't think this was explained well in the video. I did some more reading and one thing I noticed here is the docs here on how to create the backend service of LB has changed cloud.google.com/iap/docs/enabling-cloud-run#enabling. As you can see at 15:08 in the video it use to require the client_id and client_secret to create the backend to enable IAP, but that doesn't seem to be there anymore. The latest docs has a note saying "The ability to authenticate users with a Google-managed OAuth client is available in Preview.". Well technically if it's in preview it should not update the docs to remove this option but if it is true then it means by default it will use the google managed oauth client and creating the credentials manually is no longer required.
I've not tested this out yet but I think it's worth trying it without using a custom credential and just enable IAP. I think it makes sense as creating it manually and then specify is a lot faff as you need to manage the secret rotation etc yourself.
And my understanding the way this works is when a user comes in, the user will pass the auth header, the load balancer backend will intercept and use IAP to do the verification to see if the user has permission or not which is defined in IAM with the user group. Because the IAP SA has been granted the invoker access to the cloud run service, hence user will be granted access after passing through the IAP validation
I have to integrate with okta. How to handle this scenario in my next js application .Any suggestion pleae
If your organisation is already using Okta as the main identify provider I don’t believe you need to do anything as IAP handles auth via Google workspace identify.
If this isn’t the case, maybe have a look at this cloud.google.com/iap/docs/enable-external-identities although it’s questionable why using workspace identify directly while also having Okta as the identify provider.
slides are here docs.google.com/presentation/d/1Vy8tH70jyzUlGFXu9Cfjl9B9ACrby8mPZ09p9CvPqvo/edit?usp=share_link
can we apply IAP on apigee proxy api ?
@@dhirajpal1495not something I tried, I am not sure that is the right use case. iAP is mainly for internal applications authentication, for API I am not sure this is the right use case for IAP