Enable IAP for Cloud Run

There are two ways to enable Identity-Aware Proxy for your Cloud Runservices.

  1. Recommended:Directly on a Cloud Run service(Preview):
    • Protects therun.app endpoint directly so that you don't have to provisionload balancer resources.
    • Provides a simpler setup and avoids additional load balancer costs.
    • If you opt to place a load balancer in front of Cloud Run, the loadbalancer's endpoint is also protected.
  2. On the backend service fronting the Cloud Run services: ifyou're running Cloud Run in multiple regionsattached to the same load balancer global backend service and you requirecentral access management, follow the instructions on this page. Otherwise,we recommend that you enable IAP directly on theCloud Run service.

Known limitations

  • When you enable IAP on a load balancer, IAPsecures traffic only through the load balancer and not with traffic that mightreach the Cloud Run service through itsrun.app URL. To onlyallow IAP-authorized traffic, seeConfiguring Cloud Run to limit access.

  • IAP authenticates to Cloud Run using theX-Serverless-Authorization header.Cloud Run passes this header to your service afterstripping its signature.If your service is designed to forward the request to another Cloud Runservice that requires IAM authentication, update your service to remove this header first.

  • IAP is incompatible with Cloud CDN.

  • IAP increases latency. Enable IAP only forinstances that are not latency-sensitive.

Before you begin

We recommend that youenable IAP directly on Cloud Run.

If you choose to enable IAP for Cloud Runresources in IAP rather than directly on Cloud Run,you must have the following:

IAP uses a Google-managed OAuth client to authenticate users.Only users within the organization can access the IAP-enabledapplication. If you want to allow access to users outside of your organization,seeEnable IAP for external applications.

Enabling IAP from a backend service or load balancer

Note: We recommend that you enable IAP directly on Cloud Run,as described in theCloud Run documentation.

If you must enable IAP from IAP behind a backendservice or load balancer, use the following instructions.

Console

The Google-managed OAuth client is not available if you enable IAP using the Google Cloud console.

If you haven't configured your project's OAuth consent screen, you'll beprompted to do so. To configure your OAuth consent screen, seeSetting up your OAuth consent screen.

Setting up IAP access

  1. Go to theIdentity-Aware Proxy page.
  2. Select the project you want to secure with IAP.
  3. UnderAPPLICATIONS, select the checkbox next to the load balancer backend service to which you want to add members.
  4. On the right side panel, clickAdd Principal.

  5. In theAdd Principal dialog, enter the accounts of groups or individuals who should have theIAP-secured Web App User role for the project. The following kinds of accounts can be members:

    • Google Account: user@gmail.com - This can also be a Google Workspace account, such as user@google.com or some other Workspace domain.
    • Google Group: admins@googlegroups.com
    • Service account: server@example.iam.gserviceaccount.com
    • Google Workspace domain: example.com

  6. SelectCloud IAP > IAP-secured Web App User from theRoles drop-down list.

  7. ClickSave.

Turning on IAP

  1. On theIAP page, underAPPLICATIONS, find the load balancer backend service to which you want to restrict access. To turn on IAP for a resource, click theIAP toggle.To enable IAP:
    • At least one protocol in the load balancer frontend configuration must be HTTPS. Learn aboutsetting up a load balancer.
    • You need thecompute.backendServices.update,clientauthconfig.clients.create, andclientauthconfig.clients.getWithSecret permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, seeManaging access to IAP-secured resources.
  2. In theTurn on IAP window that appears, clickTurn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with theIAP-Secured Web App User role on the project will be given access.

  3. Follow the instructions atAccess control with IAM to authorize IAP to send traffic to the backend Cloud Run service.

    • Principal:service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com
    • Role:Cloud Run Invoker

    The IAP service account is created when IAPis enabled. If the IAP service account is not in the listof principals, you can create it by running the followinggcloud command:

    gcloud beta services identity create    --service=iap.googleapis.com    --project=PROJECT_ID

gcloud

  1. If you have not previously done so in the project, create the IAP service agent by running the following command. If you previously created the service agent, running the command does not duplicate it.
    gcloud beta services identity create --service=iap.googleapis.com --project=[PROJECT_ID]
  2. Grant the invoker permission to the service account, created in the previous step, by running the following command.
    gcloud run services add-iam-policy-binding [SERVICE-NAME] \--member='serviceAccount:service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com'  \--role='roles/run.invoker'

  3. Enable IAP by running either the globally or regionally scoped command, depending on whether your load balancer backend service is global or regional. Use the OAuth client ID and secret from the previous step.

    Global scope

    gcloud compute backend-services updateBACKEND_SERVICE_NAME --global --iap=enabled

    Regional scope

    gcloud compute backend-services updateBACKEND_SERVICE_NAME --regionREGION_NAME --iap=enabled
    Replace the following:

    • BACKEND_SERVICE_NAME: the name of the backend service.
    • REGION_NAME: the region in which you want to enable IAP.

After you enable IAP, you can use the Google Cloud CLI to manipulate an IAP access policy using the Identity and Access Management roleroles/iap.httpsResourceAccessor. SeeManaging access to IAP-secured resources for more information.

Terraform

  1. If you have not previously done so, in a project, create the IAP service agent by running the following command. If you previously created the service agent, running the command does not duplicate it.
    resource "google_project_service" "project" {  project = "your-project-id"  service = "iap.googleapis.com"}

  2. Add the following to grant theroles/run.invoker role to theIAP service agent.

    resource"google_cloud_run_v2_service_iam_member""iap_invoker"{provider=google-betaproject=google_cloud_run_v2_service.default.projectlocation=google_cloud_run_v2_service.default.locationname=google_cloud_run_v2_service.default.namerole="roles/run.invoker"member="serviceAccount:service-"PROJECT_NUMBER@gcp-sa-iap.iam.gserviceaccount.com"}

    ReplacePROJECT_NUMBER with your project number.

  3. Enable IAP by running either the global or the regional command depending on your load balancer. Use the OAuth client ID and secret from the previous step.

    • Global scope

      resource "google_compute_backend_service" "default" {  name                  = "tf-test-backend-service-external"  protocol              = "HTTPS"  load_balancing_scheme = "EXTERNAL_MANAGED"  iap {    enabled              = true    oauth2_client_id     = "abc"    oauth2_client_secret = "xyz"  }}

    • Regional scope

      resource "google_compute_region_backend_service" "default" {  name                  = "tf-test-backend-service-external"  protocol              = "HTTPS"  load_balancing_scheme = "EXTERNAL_MANAGED"  iap {    enabled              = true    oauth2_client_id     = "abc"    oauth2_client_secret = "xyz"  }}

Configuring Cloud Run to limit access

To prevent traffic from routing through a Cloud Run service'sdefaultrun.app URL,Disable the default URL.Otherwise, configure your ingress settings toRestrict network ingress for Cloud Run.

Troubleshooting errors

Permission denied accessing Cloud Run

 Your client does not have permission to get URL from this server

  • IAP uses the IAP service account permissions toinvoke your Cloud Run service. Be sure that you have granted the CloudRun Invoker role to the following service account:service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com.

  • If you have granted the Cloud Run Invoker role to the precedingservice account and you are still facing this issue, redeploy yourCloud Run service.

Service Agent failure causes set IAM error

Enabling IAP on a new project for the first time can cause thefollowing error:

Setting IAM permissions failed

This because the Cloud Run Service Agent failed. To resolve theissue, eitherenable IAPagain orset the IAM policy manually.

Can't set up IAP through the gcloud CLI

 The IAP service account is not provisioned

If you are seeing this error, run the following command:

gcloud beta services identity create --service=iap.googleapis.com --project=[PROJECT_ID]

IAP service account doesn't needrun.routes.invoke permission

During the IAP with Cloud Run Preview,Cloud Run didn't perform therun.routes.invoke permission checkfor calls from IAP that use the Cloud Run Invoker role. WithGeneral Availability (GA), Cloud Run performs this permissioncheck.

To avoid breaking changes, some customer projects that depended on this behaviorduring Preview were placed into an allowlist so that the permission wasn'tchecked. ContactCloud Run support to removesuch projects from the Preview-only allowlist.

What's next

Configure IAP for Cloud Run

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.