LoginSignup
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@nakamasato(Masato Naka)

Cloud Run のIAP (Pre-GA) をTerraformで設定する

Last updated at Posted at 2025-05-10

まとめ

  • CloudRunのIAPがPre-GAになりました (Apr 7, 2025)
  • Terraform google provider 対応 (v6.31.0 以降が必要)
    • v6.30.0: cloudrunv2: added iap_enabled field to google_cloud_run_v2_service resource
      (#22301)
    • v6.31.0: New Resource: google_iap_web_cloud_run_service_iam_member (#22399)

コード

IAPを有効化 (projectですでに有効化してあればSkip可)

resource "google_project_service" "project" {
  project = "your-project-id"
  service = "iap.googleapis.com"

  disable_on_destroy = false
}

Cloud RunでIAPをEnableする

google-beta providerの v6.30.0 以降が必要

resource "google_cloud_run_v2_service" "default" {
  provider     = google-beta // necessary for IAP
  name         = "default"
  location     = "asia-northeast1"
  launch_stage = "BETA" // IAP is Pre-GA
  iap_enabled  = true   // enable IAP

  template {
    containers {
      image = "us-docker.pkg.dev/cloudrun/container/hello"
    }
  }
}

Ref: cloud_run_v2_service#example-usage---cloudrunv2-service-iap

Grant IAP Web permission

  • google providerの v6.31.0 以降が必要
resource "google_iap_web_cloud_run_service_iam_member" "member" {
  project = google_cloud_run_v2_service.default.project
  location = google_cloud_run_v2_service.default.location
  cloud_run_service_name = google_cloud_run_v2_service.default.name
  role = "roles/iap.httpsResourceAccessor"
  member = "user:jane@example.com"
}

Ref: iap_web_cloud_run_service_iam

  • applyするには、roles/iap.admin role などの iap.webTypes.getIamPolicy
    iap.webTypes.setIamPolicyの権限が必要IAP managing access

applyするSA or Userに roles/iap.admin 権限を付与

resource "google_project_iam_member" "github_actions" {
  member  = "serviceAccount:xxx@<project>.iam.gserviceaccount.com" # or "user:your@example.com"
  project = "your-project-id"
  role    = "roles/iap.admin"
}

IAPのうしろにあるCloud RunをService Accountから叩く

まず叩くService AccountとCloud RunのEndpointを指定します。Cloud Schedulerから叩く予定であれば、scheduler@.iam.gserviceaccount.com など Cloud Runで使っているservice accountとは別のservice accountを指定する事ができます。

SERVICE_ACCOUNT=xxx@<project>.iam.gserviceaccount.com
URL=$(gcloud run services describe default --project <project> --region asia-northeast1 --format json | jq -r '.status.url')

次に、jwtを生成するためのclaimを作成します。

cat > claim.json << EOM
{
  "iss": "$SERVICE_ACCOUNT",
  "sub": "$SERVICE_ACCOUNT",
  "aud": "$URL",
  "iat": $(date +%s),
  "exp": $((`date +%s` + 3600))
}
EOM

サインをしてjwtを発行します。

gcloud iam service-accounts sign-jwt --iam-account="$SERVICE_ACCOUNT" claim.json output.jwt

最後にendpointをたたいて見ます

curl -X POST -H "Authorization: Bearer $(cat output.jwt)" "$URL"

audienceの設定は、$URL のみならず、完全なパスを指定する必要があるのでご注意ください。audienceが実際に叩くPathと異なる場合は、Invalid IAP credentials: Audience specified does not match requested endpointというエラーが返ります。

詳細

References

1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?