Cloud Run user auth for internal apps

India & USA Collebration Eduction Sector Space Sector Big Data Technology Blockchain Technology Artificial Inteligence Space Weapons & Data Center Security

Happy to hear you find it useful!

This is a great idea, I'd love to see that too. Like a terraform module or something that takes in parameters such as principals, domain names and so forth.

@@jk.g This is a great idea. We choose to mostly show the Cloud Console in these videos, because it's more visual. You can only watch so much white text on a black background before it all starts to look the same. But we agree; more Terraform and infrastructure-as-code content would be useful. I'm adding it to the list of future episodes!

You bring up a good point. I talked with the team, they appreciate the input, and they will think about how to address it. Thank you for bringing this up!

That's an interesting use case. For a custom setup like that I *think* you'd need custom code. Your request handler code in Cloud Run would look for the bearer token in the request and decode it. If the token isn't there or can't be decoded, your handler would return status code 403. If the token is fine, your code would continue processing the request. You would not use IAP and you would need to open your Cloud Run service to unauthenticated access. In other words, your code would handle your custom security, instead of Google doing it.
Hope this helps!

No, IAP can only be used in front of App Engine, Cloud Run, Compute Engine, GKE, or on-prem systems. You could of course put a simple application on one of those platforms in front of BigQuery and authenticate with IAP. Or you could give individual users access to BigQuery directly in your project.

The load balancer makes routing decisions based on what's in the URL. If your entry page requires a log in, it could then examine who the user is and redirect the user to a URL that leads to the right Cloud Run application. That Cloud Run app would also need to verify the user.

​@@TheMomander Thanks for the reply!
Not sure if I you already answered my question or not exactly. But.
What I'm interested in knowing is can 1 single load balancer be used to route many users to different Cloud Run apps? Instead of an individual load balancer per Cloud Run app.
e.g.
"Dave" logs in via IAP, Load Balancer sees who logged in and routes Dave to "Daves Dashboard" on Cloud Run. Also then "Jenny" logs in via IAP, Load Balancer sees who logged in and routes Jenny to "Jennys Dashboard" on Cloud Run. Dave and Jenny have separate Cloud Run app's.
Does this seem doable?

@@John845 Yes, one load balancer can direct traffic to multiple Cloud Run services, based on the URL. A single load balancer can also direct traffic to multiple Cloud Functions, App Engine apps, virtual machines, or Kubernetes clusters.

@@TheMomander I watched the full video but haven't gone through the full step by step myself. But with the Load Balancer that's created in this video, would it be easy to modify it's default single use (1 Cloud Run app) and make it for multiple Cloud Run services based on the URL as you mention?

@@John845 There is a document titled "Set up a global external HTTP(S) load balancer (classic) with Cloud Run, App Engine, or Cloud Functions" that describes who to do it. Because the load balancer has already been create, you can skip ahead to the section named "Create the load balancer". Within that section, skip to the sub-section named "Backend configuration" and start there. Best of luck!

It's hard to tell without being there with you. Did you set up a load balancer, assign your custom domain name to it, and enter that domain name in your browser?

@@TheMomander I did set up a load balancer but can't reach my app when using the IP generated by Google.
I tried testing in local in the mean time but no login page, is it because the login page only triggers when everything is setup on the Cloud or is there additionnal code that I'm missing for the Google Sign In ?

@@user-le6lh7si8d The login page will only be triggered when the application runs in the cloud.

It's hard to know what is going wrong in your project without a more detailed description. But it could be that you didn't set up the load balancer, see 6:08 in the video. I have run into cases before where a developer forgot to do that part.

You do not have to segregate every service. I'm pretty sure you could also introduce Apigee in front of your services too, which would allow one load balancer for all your service traffic in a particular region.

@@KevinBoutin Great idea ! Another piece of heavy software in this lightweight serverless adventure. Sorry but this doesn’t make sens at all. Additionally, this video doesn’t shown at all how complicated it this to setup Load Balancer…
The only reason to use a load balancer is not the load balance but to have a external ip for the IAP…

@@nicolas00865 The load balancer also lets you put a custom domain in front of your Cloud Run service, with HTTPS termination. It's not too hard to set up. Just fill out the form shown at 6:15 in the video.
If you want a serverless option you can put Firebase Hosting in front of your Cloud Run service. There is no monthly fixed cost with that approach, but it won't let you use IAP.

Thank you for comment. I watch regularly your content to get some inspiration on GCP architecture, although I may disagree on this one, most of your videos are really helpful.
For the LB, I'm fully aware of what it can archive. Cloudrun support a custom domain by default without LB (only in some countries) but does not have a fixed IP. Here, this IAP design with LB, is just to have this fixed IP, right? It would be a lot simpler if we could connect IAP to Cloudrun, without the need of a LB in the middle.
As for the Firebase Hosting, I'm not familiar with the product, thank you for the suggestion, I'll check if this makes more sense.

When that happens it's usually because the load balancer hasn't been set up. See timestamp 6:18 in the video for how to do that.