While IAP is the recommended authentication mechanism for internal business applications on Cloud Run, Cloud IAM remains essential for managing service-to-service communication.
Historically, Cloud Run’s default behavior was to perform an IAM check (run.invoker role) on every request to an HTTPS endpoint. While this provided a strong security baseline, it had the potential to become a bottleneck when the intent was to create public apps, particularly when organizations also enforced the Domain Restricted Sharing policy.
You can now disable this IAM “invoker” check by selecting “Allow Public access” for your applications.
This gives you flexibility to rely on other security layers like organization policies, network-level controls, or custom authn/authz for your services. It also unlocks broader use cases:
“Bilt Rewards leverages the ‘disable IAM’ feature for multiple mission-critical Cloud Run services deployed in multi-regional topologies. By disabling IAM on these instances, we establish a direct, unimpeded path from our edge, while maintaining security using Cloud Armor on the global load balancer. This simplified approach reduces infrastructure complexity and provides a more performant solution while maintaining org-wide security posture through organizational policies.” – Kosta Krauth, CTO Bilt Rewards
Getting started
Ready to get started? You can easily enable IAP directly on Cloud Run.
Learn more:
Source Credit: https://cloud.google.com/blog/products/serverless/iap-integration-with-cloud-run/
About the Author
