Secure a generative AI app by using IAP

This tutorial shows you how to deploy a generative AI appto Cloud Run and secure it with Identity-Aware Proxy (IAP).IAP provides a central authorization layer for HTTPS applicationsdeployed to Cloud Run. You can use IAP to adopt application-level ororganization-level access control policies instead of using network-levelfirewalls.

Note that while it's also possible to use manual or third-party authenticationto secure an app deployed to Cloud Run, we recommend usingIAP for large volumes or multi-region traffic, to avoiddisruptions in the app serving.

In this tutorial, you deploy an app that makes calls to theGemini API.The app is based on the Streamlit framework.

Prerequisites

This tutorial assumes that you're able to use the following tools and frameworks:

  • Streamlit:Streamlit is an open source appframework that lets you create and deploy data applications. It transforms datascripts into web apps by using Python.

  • Git: For this tutorial, you use a Git repository to manage the sourcecode of your app. For more information about using Git, see theGit documentation.

Google Cloud services

You must have a basic understanding of the following Google Cloud services:

  • Generative AI on Vertex AI: Provides access to Google's LLMs so youcan test, tune, and deploy them for use in your applications.Learn more about Generative AI on Vertex AI.

  • Cloud Run: A managed compute platform that lets you deploy andrun container images. You create a Cloud Run service to deployyour app.Learn more about Cloud Run.

  • Cloud Build: Executes your builds on Google Cloud.For this tutorial, you set up an automaticCloud Build trigger to build and deploy your appto Cloud Run whenever you push your commits to the Git repository.Learn more about Cloud Build.

  • Cloud Load Balancing: Helps distribute traffic across multipleinstances of your app to achieve scalability. You create anApplication Load Balancer to distribute the traffic to the app backend instanceshosted on Cloud Run. Cloud Load Balancing is also a prerequisite forIAP.Learn more about Cloud Load Balancing.

  • Identity-Aware Proxy (IAP): You use IAP to createa central authorization layer to secure the app. IAP makesauthentication and authorization checks that extend to linked Google Cloudservices. IAP also supports and seamlessly integrates withCloud Load Balancing, making it the most efficient security management optionfor this tutorial.

    To learn more about IAP, seeIdentity-Aware Proxy overview.

    To understand howIAP works with Cloud Run, see theCloud Run section of How IAP Works.

Valid domain name

Additionally, you must have a valid domain name for provisioning a certificate, which is required to configure the load balancer.

Tutorial pages

This tutorial has the following pages:

  1. Set up your project and source repository.

  2. Create a Cloud Run service.

  3. Create a load balancer.

  4. Configure Identity-Aware Proxy (IAP).

  5. Test your IAP-secured app.

  6. Clean up your project.

Each page assumes that you've already completed the instructions from theprevious pages of the tutorial.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.