Using Google Identity-Aware Proxy (IAP) with Cloud Run — Without a Load Balancer! | by Dazbo (Darren Lester) | Google Cloud – Community | May, 2025

Hello friends!

Imagine you’ve built an application, deployed it on Google Cloud Run, and now you want it to only be usable by specific users?

One way to achieve this is to use the Identity-Aware Proxy (IAP). It sits in front of your application and whenever a user tries to use your application, it:

• Authenticates that the user is who they say they are.
• Checks that the user is authorised to use the application.

But until recently, using IAP with Cloud Run required you to deploy an Google Cloud Load Balancer. I demonstrated this in a blog series recently, where I used the IAP to force authentication and authorisation of a demo”Video Intelligence” application:

This worked well! But I soon realised my noddy application was costing me $18 per month to run. Sure, nothing for an enterprise, but more than I wanted to pay for a demo application that doesn’t really have any users. So I looked into the cost, and determined that all of the cost was attributable to the load balancer! And so, to save cost, I removed the load balancer, and vowed to come up with an alternative way to authenticate and authorise the user.

How can I authenticate and authorise use of my Cloud Run application, without paying for a load balancer?

Initially my plan was to deploy some auth logic into a sidecar container. But then — deux ex machina — Google announced that you can now run IAP for Cloud Run… without a load balancer!! And with no additional cost!

Another advantage of this direct integration is that it enforces the IAP, regardless of the URL you use to access your service. For example, even if you’re using the default Internet-facing run.app URL, it STILL uses the IAP!

First, I want to check if my Video Intelligence Application is still working It’s been a while! I fire up the Console, navigate to Cloud Run, and find my service:

Yep, it’s still there. Note that Authentication is set to: Allow unauthenticated. This application is publicly accessible, and requires no authentication. 😬

Let’s run it…

It starts immediately. Good!

Now click on the Security tab in the Console:

Ah, Cloud Identity is not enabled in this project. Let’s first enable the API. And now we can check the box “Advanced authentication with Identity-Aware Proxy (IAP)”. Then click Save.

If you see an error like “Service account service-@gcp-sa-iap.iam.gserviceaccount.com does not exist”, then just wait a minute and try again.

Next, we need to make sure that our user or group has access to use applications through IAP. You can do this by granting the IAP-secured Web App User role (roles/iap.httpsResourceAccessor) to the user who will access the application, on your project, or on the Cloud Run service itself.

In my case, I have a group called “gcp-developers”, and I’ve granted the IAP-secured Web App User role to my dev folder. The project that hosts my Cloud Run service sits in this folder.

Okay, now I’ll fire up the Cloud Run service URL from a new Chrome Incogonito window:

Hurrah! Rather than launching the application, I’m asked to authenticate! I’ll start by providing a gmail user that is not a member of my gcp-developers group. After I provide my password, my 2FA kicks in. And after that… I’m not allowed to access the application! So far, so good!

Now I’ll try a user that is a member of my gcp-developers group. AND I’M IN!

Well, that was incredibly easy!

We just need to amend our gcloud command slightly, in order to apply IAP when we deploy our Cloud Run service:

gcloud beta run deploy "$SERVICE_NAME" \ # Use beta command
--project=$PROJECT_ID \
--port=8080 \
--image="$REGION-docker.pkg.dev/$PROJECT_ID/$REPO/$SERVICE_NAME:$VERSION" \
--max-instances=1 \
--no-allow-unauthenticated \
--iap \ # Apply IAP
--region=$REGION \
--platform=managed  \
--ingress internal-and-cloud-load-balancing \
--cpu-boost \
--set-env-vars=PROJECT_ID=$PROJECT_ID,REGION=$REGION,LOG_LEVEL=$LOG_LEVEL

If you’ve been following along with my related articles, now you just need to incorporate this into the cloudbuild.yaml that we built previously. When we run it:

With very little effort we’ve enabled IAP on a Cloud Run service without needing a load balancer! We can limit access to our services to specific users. Neat!

• Please share this with anyone that you think will be interested. It might help them, and it really helps me!
• Feel free to leave a comment 💬.
• Press and hold the clap button. You can clap 50 times!
• Follow and subscribe, so you don’t miss my content. Go to my Profile Page, and click on these icons: