Configure IAP for Cloud Run

Preview — Identity-Aware Proxy (IAP) for Cloud Run

This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

This page describes how to enable IAP from Cloud Run andsecure traffic bound for a Cloud Run service by routing to IAPfor authentication. By enabling IAP from Cloud Run, youcan route traffic with a single click from all ingress paths, including defaultrun.app URLs and load balancers.

Known limitations

  • The project must be within an organization.
  • Identities must be from within the same organization.
  • You cannot configure IAP on both the load balancer and theCloud Run service.
  • Some integrations, such as Pub/Sub, might stop working ifIAP is enabled.

Before you begin

Required roles

To get the permissions that you need to enable IAP, ask your administrator to grant you the following IAM roles:

  • Cloud Run Admin (roles/run.admin) on the project
  • Grant access to the IAP-enabled service:IAP Policy Admin (roles/iap.admin) on the project
  • Create an IAP-enabled service or update an existing service to enable IAP:

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Enable IAP from Cloud Run

We recommend that you enable IAP directly from Cloud Run.

If you use both IAP and Identity and Access Management (IAM) on the sameCloud Run service, note the following conditions:

  • Both the IAP and the IAM checks areperformed.

  • The IAP check happens first and accepts or blocksrequests based on the IAP configuration.

  • If the request passes the IAP check, IAPuses its own service account to authenticate to Cloud Run'sIAM check.

  • Because the IAP check happens first, some services,such as Pub/Sub, might not authenticate correctly to it.

Enable IAP from Cloud Run by using Google Cloud console, theGoogle Cloud CLI, or Terraform.

Console

When you enable IAP for Cloud Run, IAPrequires permissions to invoke your Cloud Run service. If you'reenabling IAP using the Google Cloud console, this permission is grantedautomatically by assigning theCloud Run Invoker role(roles/run.invoker) to the IAP service agent.

To enable IAP from Cloud Run:

  1. In the Google Cloud console, go to the Cloud RunServices page:

    Go to Cloud Run

  2. If you're configuring and deploying a new service, clickDeploy container. If you're configuring and deploying an existingservice, click the service, then clickEdit and deploy new revision.

  3. If you're configuring a new service, fill out the initial servicesettings page as needed, then selectRequire authentication. SelectIdentity-Aware Proxy (IAP).

  4. If you're configuring and deploying an existing service, click theservice and then selectRequire authentication. SelectIdentity-Aware Proxy (IAP).

  5. ClickEdit policy to create a context-aware access policy:

    • Add one or more principals and, optionally, the access level that eachprincipal is required to satisfy for application access.

    • ClickSave.

  6. ClickSave.

gcloud

To enable IAP directly from Cloud Run, add the--iapflag when deploying your app and grant invoker permission to the IAP serviceagent:

  1. Deploy your Cloud Run service using one of the followingcommands:

    For a new service:

    gcloudbetarundeploySERVICE_NAME\--region=REGION\--image=IMAGE_URL\--no-allow-unauthenticated\--iap

    For an existing service:

    gcloudbetarunservicesupdateSERVICE_NAME\--region=REGION\--iap

    Replace the following:

    • SERVICE_NAME: the name of your Cloud Runservice.
    • REGION: the name of your Cloud Run region.For example,europe-west1.
    • IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.
    • PROJECT_NUMBER: Your Google Cloud project number.

  2. Grant invoker permission to the IAP service agent:

    gcloudrunservicesadd-iam-policy-bindingSERVICE_NAME\--region=REGION\--member=serviceAccount:service-PROJECT_NUMBER@gcp-sa-iap.iam.gserviceaccount.com\--role=roles/run.invoker

    Replace the following:

    • SERVICE_NAME: the name of your Cloud Runservice.
    • REGION: the name of your Cloud Run region.For example,europe-west1.
    • PROJECT_NUMBER: Your Google Cloud project number.

  3. To verify that your service is configured with IAPenabled, run the following command:

    gcloudbetarunservicesdescribeSERVICE_NAME

    The output should contain the following string:

    IapEnabled:true

You are now routing all traffic bound for the configured Cloud Runservice to IAP for authentication before passing to thecontainer.

Terraform

To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.

To enable IAP using Terraform, you must update your servicedefinition and add an IAM policy binding to grant invokerpermission to IAP.

  1. Addiap_enabled = true to agoogle_cloud_run_v2_serviceresource in your Terraform configuration to enable IAP on the service:

    resource"google_cloud_run_v2_service""default"{provider=google-betaname="cloudrun-iap-service"location="europe-west1"ingress="INGRESS_TRAFFIC_ALL"launch_stage="BETA"iap_enabled=truetemplate{containers{image="us-docker.pkg.dev/cloudrun/container/hello"}}}

  2. Add the following to grant theroles/run.invoker role to theIAP service agent.

    resource"google_cloud_run_v2_service_iam_member""iap_invoker"{provider=google-betaproject=google_cloud_run_v2_service.default.projectlocation=google_cloud_run_v2_service.default.locationname=google_cloud_run_v2_service.default.namerole="roles/run.invoker"member="serviceAccount:service-"PROJECT_NUMBER@gcp-sa-iap.iam.gserviceaccount.com"}

    ReplacePROJECT_NUMBER with your project number.

  3. Optional. To retrieve the current IAM policy data, add the followingto agoogle_cloud_run_v2_service_iam_policyresource in your Terraform configuration.

    data"google_cloud_run_v2_service_iam_policy""policy"{project=google_cloud_run_v2_service.default.projectlocation=google_cloud_run_v2_service.default.locationname=google_cloud_run_v2_service.default.name}

Disable IAP from Cloud Run

You can disable IAP by using the Google Cloud console or gcloud CLI.

Console

To disable IAP from Cloud Run:

  1. In the Google Cloud console, go to the Cloud Run page:

    Go to Cloud Run

  2. Click the existing service you want to modify.

  3. Click Security and selectAllow public access.

  4. ClickSave.

gcloud

To disable IAP directly from Cloud Run, add the--no-iap flag when deploying your app:

  1. Deploy your Cloud Run service using either of the followingcommands:

    For a new service:

    gcloudbetarundeploySERVICE_NAME\--region=REGION\--image=IMAGE_URL\--no-iap

    For an existing service:

    gcloudbetarunservicesupdateSERVICE_NAME\--region=REGION\--no-iap

    Replace the following:

    • SERVICE_NAME: the name of your Cloud Runservice.
    • REGION: the name of your Cloud Run region.
    • IMAGE_URL: a reference to the container image, forexample,us-docker.pkg.dev/cloudrun/container/hello:latest. If you use Artifact Registry,therepositoryREPO_NAME mustalready be created. The URL follows the format ofLOCATION-docker.pkg.dev/PROJECT_ID/REPO_NAME/PATH:TAG.

  2. To verify that your service is no longer configured with IAPenabled, run the following command:

    gcloudbetarunservicesdescribeSERVICE_NAME

    The output should no longer contain the following string:

    IapEnabled:true

You are no longer routing all traffic bound for the configured Cloud Runservice to IAP for authentication before passing to thecontainer.

Manage user or group access

By default, IAP for Cloud Run uses in-organizationidentities with an email address associated with a user. You can add or removeaccess to a Cloud Run service by using the Google Cloud consoleor gcloud CLI.

Console

To add or remove access:

  1. In the Google Cloud console, go to the Cloud Run page:

    Go to Cloud Run

  2. Click the existing service you want to modify, and then click Security.

  3. UnderIAP, clickEdit policy.

  4. To add access, enter the principal and, optionally, the access level orlevels that you want to add.

  5. To remove access from an existing principal, click theDelete policyicon next toAccess levels.

  6. ClickSave.

gcloud

To add or remove access to a Cloud Run service for individual usersor groups within your organization, run one of the following commands:

  • To add access:

    gcloudbetaiapwebadd-iam-policy-binding\--member=user:USER_EMAIL\--role=roles/iap.httpsResourceAccessor\--region=REGION\--resource-type=cloud-run\--service=SERVICE_NAME

  • To remove access:

    gcloudbetaiapwebremove-iam-policy-binding\--member=user:USER_EMAIL\--role=roles/iap.httpsResourceAccessor\--region=REGION\--resource-type=cloud-run\--service=SERVICE_NAME

  • To view access:

    gcloudbetaiapwebget-iam-policy\--region=REGION\--resource-type=cloud-run\--service=SERVICE_NAME

Replace the following:

  • USER_EMAIL: the user's email address.
  • REGION: the name of your Cloud Run region.
  • SERVICE_NAME: the name of your Cloud Runservice.

Troubleshooting

Service Agent failure causes set IAM error

Enabling IAP on a new project for the first time can cause thefollowing error:

Setting IAM permissions failed

This is because the Cloud Run Service Agent failed. To resolve theissue, eitherenable IAPagain orset the IAM policy manually.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.