Cloud Run with IAP
ฝัง
- เผยแพร่เมื่อ 12 พ.ค. 2023
- Today, as promised, I'll explore the intricacies of combining Cloud Run with IAP. However, rather than guiding you through the complete setup - which you can find well-documented at cloud.google.com/iap/docs/ena... I'll shift my focus towards a diagrammatic representation of the process. I'll pinpoint and elaborate on five particularly challenging aspects of this setup that arise primarily due to the inclusion of a Load Balancer, which adds a level of complexity not found in a traditional App Engine setup. To wrap up, I'll share my understanding of why incorporating a Load Balancer is crucial as opposed to adhering to the conventional App Engine setup. My hope is that this exploration will not only streamline your setup process but also arm you with the knowledge to build secure and powerful IAP-integrated applications on Cloud Run.
00:57 - Table of Contents
02:04 - The steps involved to enable IAP on Cloud Run
04:28 - Explaining it in a diagram
08:41 - Troubleshooting
09:11 - Coud Armor whitelisting
10:50 - Authorized redirect URIs
12:04 - Cloud Run Ingress rules
12:59 - Cloud Run Invoker grant to the Google SA
14:06 - Grant IAP Web App User role at project level
15:01 - Demo
16:56 - Why it needs an Load Balancer
20:54 - Summary - วิทยาศาสตร์และเทคโนโลยี
![ลักพาตัว เอาลูกเอิร์นกลับมา...!! [เอิร์นไดเม่]](http://i.ytimg.com/vi/f4NVKlZ5qkk/mqdefault.jpg)
I like this video, it is the most informational and practical video for the topic IAP. Thanks for sharing
Glad it was helpful!
This is really an amazing video. especially the trouble shooting part. very clear😊 Love it!!
Glad it helped!
Simply the best (and only) clear explanation of how this works. Thank you very much.
Glad it helped!
This is absolutely fantastic! Keep making more videos please! I love the full demonstration of all of these different topics in your videos.
Glad you found it useful! It’s important with more teams and engineers understand how to make good use of these services without wasting time on the same thing over and over again. Sharing is 🔑
I’m super glad I found your channel on TH-cam. I love your content and the way you are going through examples. Can’t wait for next videos! Cheers!
Thank you for the kind words! Believe or not compliments like yours are what kept me going and doing this :) glad you are able to benefit from my content.
Thank you for this great video. It added a lot to my understanding of this subject!
You are welcome ❤
Amazing explanation! However, I have a doubt regarding the use of OAuth 2.0 creds in this whole setup. Does the OAuth client ID represent the backend service here, which is delegating authentication to IAP?
Thank you and I don't think this was explained well in the video. I did some more reading and one thing I noticed here is the docs here on how to create the backend service of LB has changed cloud.google.com/iap/docs/enabling-cloud-run#enabling. As you can see at 15:08 in the video it use to require the client_id and client_secret to create the backend to enable IAP, but that doesn't seem to be there anymore. The latest docs has a note saying "The ability to authenticate users with a Google-managed OAuth client is available in Preview.". Well technically if it's in preview it should not update the docs to remove this option but if it is true then it means by default it will use the google managed oauth client and creating the credentials manually is no longer required.
I've not tested this out yet but I think it's worth trying it without using a custom credential and just enable IAP. I think it makes sense as creating it manually and then specify is a lot faff as you need to manage the secret rotation etc yourself.
And my understanding the way this works is when a user comes in, the user will pass the auth header, the load balancer backend will intercept and use IAP to do the verification to see if the user has permission or not which is defined in IAM with the user group. Because the IAP SA has been granted the invoker access to the cloud run service, hence user will be granted access after passing through the IAP validation
Thanks a lot, Great Video. Can you Please tell me which video recording/editing tool is being used?
Thank you 🙏 I use Camtasia
slides are here docs.google.com/presentation/d/1Vy8tH70jyzUlGFXu9Cfjl9B9ACrby8mPZ09p9CvPqvo/edit?usp=share_link