Here's an improved and enhanced version of the README in markdown format:
This project demonstrates how to secure a Google Cloud Run application using Identity-Aware Proxy (IAP). It provides a comprehensive solution for implementing robust identity management for Cloud Run apps.
- Enhanced Security: Implements strong authentication and authorization controls.
- Simplified Access Management: Centralizes user access control.
- Cost-Efficient: Leverages Google Cloud's IAP service with some additional infrastructure at low cost.
- User-Friendly: Provides a seamless authentication experience for end-users.
- Scalable: Easily adaptable to growing application needs.
Developers and cloud architects looking to implement secure access controls for their Cloud Run applications.
- Google Cloud Platform (GCP) account with billing enabled
gcloudCLI installed and configured- Terraform installed. Please see the commmands in the
iap.shfile which install Terraform. - Owner role or necessary permissions in the GCP project
.
├── cloud_run_app/ # Sample Cloud Run application (optional)
│ ├── deploy.sh
│ └── cloud_run.sh
├── iap/
│ ├── main.tf # Terraform configuration for IAP setup
│ └── iap.sh # Shell script for IAP configuration and cleanup
├── proxy_demo/
│ └── proxy.sh # Shell script setting up a proxy instead of IAP (optional)
├── tools/
│ └── cleanup.sh # Shell script full gcloud cli cleanup (optional). It's recommended to cleanup using the terraform iap.sh script instead.
└── README.md
git clone https://github.com/adswerve/secure-cloud-run-app-with-iap
cd secure-cloud-run-app-with-iap
If you don't have an existing Cloud Run app:
- Navigate to the
cloud_run_appdirectory. - Update
PROJECT_IDandLOCATIONindeploy.sh. - Update
PROJECT_IDandGCLOUD_CONFIGURATIONincloud_run.sh. - Execute the commands in
cloud_run.shsequentially.
- Navigate to the
iapdirectory. - In
main.tf, set yourproject_idvariable. - In
iap.sh, configure the following variables:export GCLOUD_CONFIGURATION=your-gcloud-config export PROJECT_ID=your-project-id export REGION=your-preferred-region export CLOUD_RUN_SERVICE=your-cloud-run-service-name
- Execute the commands in
iap.shsequentially, following any manual steps as indicated in the comments.
- Only execute steps 1 - 5. Ignore step 6 "Cleanup" as it's optional. It's only needed if you need to remove all the resources you set up from your GCP project.
- Unfortunately, you can't run the whole
iap.shfile in one go for a few reasons- Some steps are manual: some steps requiring OAuth Consent Screen are manual. We need to set it to INTERNAL and then to EXTERNAL - Testing.
- After we request an SSL certificate, we need to wait for a few minutes (up to an hour) until it's active before proceeding.
- Some steps in the IAP setup process require manual intervention. Pay close attention to the comments in
iap.sh. Specifically, some steps requiring OAuth Consent Screen are manual. We need to set it to INTERNAL and then to EXTERNAL - Testing. - Most of infrastructure deployment has been Terraformed. However, there are some steps which would require you to run some gcloud shell commmands.
- The SSL certificate provisioning can take up to 60 minutes. Be patient during this step.
- After making changes to IAP permissions, it may take 5-7 minutes for them to take effect.
- See step 4 in the
iap.shfile, specifically, this part:
echo https://$ip.nip.io
-
You can also obtain this URL in GCP console / UI
- Search "IP Address" in GCP console, in the search field
- Find the IP address you reserved
- append .nip.io to your ip address
-
Example:
https://34.117.116.251.nip.io
- See step 4 in the
iap.shfile, specifically, this part:
export USER_EMAIL=firstname.lastname@domain.com
echo $USER_EMAIL
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=demo-iap-backend \
--member=user:$USER_EMAIL \
--role='roles/iap.httpsResourceAccessor'
- You can also share in GCP console / UI
- Go to this URL: https://console.cloud.google.com/security/iap?referrer=search&project={insert-your-project-id}
- Click a checkbox next to "demo-iap-backend"
- Click "Add prinipal"
- Add them a role "IAP-secured Web App User"
-
If you get this error:
The IAP service account is not provisioned. Please follow the instructions to create service account and rectify IAP and Cloud Run setup: https://cloud.google.com/iap/docs/enabling-cloud-run. Try this:gcloud beta services identity create --service=iap.googleapis.com --project=$PROJECT_ID -
For SSL-related issues, ensure that the certificate is in an ACTIVE state before proceeding.
There are two options to remove the IAP configuration and infrastructure and revert changes:
Option A (recommended)
- Run
terraform destroyin theiapdirectory. - Execute the cleanup commands provided in the "CLEANUP" section of
iap.sh.
Option B:
Run the commands in the tools/cleanup.sh file
While not as secure or centralized as IAP, a quick alternative is to set up a proxy for your Cloud Run service.
- Navigate to the
proxy_demodirectory. - Open the
proxy.shfile. - Execute the commands in
proxy.shsequentially.
- Pros:
- Faster to implement
- Simpler configuration
- Cons:
- Less secure than IAP
- Lacks centralized management
- May not be suitable for production environments
- For rapid prototyping
- In development environments
- When full IAP setup is not immediately feasible
Note: For production deployments, it's strongly recommended to use the full IAP solution described in the main setup instructions.
This project requires Owner role in the GCP project due to the numerous resources created. If Owner access is not possible, a list of required predefined roles can be compiled upon request.