Authentication between API-Gateway and Cloud run

Negprof · 03-13-2024 01:33 AM

Hello,

I recently embarked on a new role that involves developing an API and deploying it to Google Cloud Platform (GCP). The API application has been successfully coded, built, and deployed to Cloud Run. My goal is to ensure the Cloud Run container remains inaccessible directly by clients, with all requests being routed through a publicly exposed API Gateway.

To achieve this, I have initiated the setup for the API Gateway, including drafting the specification (config) and other preparatory steps. I've configured the Cloud Run app to accept all incoming requests (ingress=all) and mandated authentication, aiming to restrict access solely to the API Gateway.

Clients are required to submit an access token when making requests to the API Gateway.

I'm seeking guidance on the appropriate Google Cloud IAM roles and configurations necessary to enable the API Gateway to communicate exclusively with the Cloud Run service. What specific IAM roles, service accounts, or configurations should I implement to facilitate this secure connection between the API Gateway and the Cloud Run service?

Thank you for your assistance.

robertcarlos

Hi @Negprof,

Welcome to Google Cloud Community!

Based on this documentation on getting started with API Gateway and Cloud Run:

The service account used to create an API config for a Cloud Run backend must have the run.invoker role assigned.

If you're going to create a new or custom service account, please make sure to add the run.invoker role to prevent clients accessing the container directly as this has the fewest permissions. Please check this documentation on Cloud Run IAM roles for your reference.

Hope this helps.