Thank you for the kind words. Happy to hear the video was helpful!

You're very welcome!

Happy to hear the video was useful to you José!

Thanks!

Use IAP if you have a predefined list of users who are allowed to use the application, for example employees in an organization. Use Identity Platform if you want new users to be able to sign up in the application.

Correct, IAP handles the login user interface and the token exchange. You may choose verify the JWT header in your application code if you want to make sure that no-one has accidentally turned off IAP.

@@TheMomander How can I do that in the code? can you show any example?

@@ferojmahmood9484 Search for "identity aware proxy securing your app with signed headers" and you will find the doc that describes how. (KZbin will mark my comment as spam if I include a link 🙂)

@@TheMomander I found the code. My question is in a simple "Hello World project" where should I implement this code. When this code will be invoked? IF IAP is disabled, who will send JWT token? I am not clear about that flow when the IAP is disabled by someone.

@@ferojmahmood9484 The JWT will be in the HTTP request header *x-goog-iap-jwt-assertion*. If you want to make sure that your fellow admins haven't turned off IAP, you can verify the JWT with a library in your preferred langauge or by calling the URL in the doc I linked to above. If you trust your fellow admins not to turn off IAP, you don't need to do this check.

IAP is great if you know your users ahead of time. So it would work well for a SaaS application if it's a "high-touch" sales process where you sign a contract in a meeting with the customer, get the list of users, and have a few days to add the users to your system. If your SaaS application is self-serve, that is users can sign up themselves without your intervention, you are better off with Firebase Authentication or Cloud Identity Platform. Those tools don't require you add users manually to your backend.

By the way, the Cloud Run + IAP integration has launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.

You're very welcome!

We're happy to hear that you found the video useful, Anshuman!

We are happy the video was useful to you! If there are other areas where the docs are hard to digest and a video would help, please let us know!

@@TheMomander Thanks for responding. For some of us (this includes me and my role in my company) would probably avoid to read the full doc about certain topic whenever possible since we intend to find; answers, a (demonstrated) simple use case, and a practical ‘how to do it’ on the gcp console within a short amount of screen time spent possible while most of the time we also tend to skip reading ; the overview, whitepapers, and NEXT session videos. This type of medium duration explainer (with clickable timestamps) convey and addressed what I need perfectly. If I may suggest, having this type of video episode added to the very first page of the corresponding doc (right below the overview section paragraph) would certainly helps others in absorbing the info about the product/solution a lot faster rather than asking the readers to navigate from one page to another which I personally find that I don’t always get my questions or ‘how to’ search easily getting answered 🙂

Thanks for your comment; it made my day.

The Cloud Run + IAP integration has now launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.

When you say that you have "two services", does that mean two different Google Cloud projects? If so, I propose you put both the front-end and back-end in the same project to minimize CORS issues.

Me, too! I can think of lots of use cases.

You can do a trick here. Using IAP with https Load Balancer (LB), and config the LB points to your application that is running on Cloud Run. I have tried and it works.

Hi Niels, this is a great question and we actually answer it in our first episode of #AskGoogleCloud that’s premiering tomorrow March 12th at 10AM PT → goo.gle/3qDQEdy We’ll also have serverless experts who are going to be answering questions in real-time in the live chat. Drop by to ask your questions or say hello!

@@duylexuan1945 Well done! A simplified Cloud Run + IAP integration has now launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.

We'll take this into consideration. I can't make any promises, though!

@@charlieengelke Okay, I can pretty much make a promise. It's being worked on, but it's a fairly long process.

Thanks for the comment! You can use IAP with Cloud Load Balancer, and you can use load balancing with Cloud Run ( cloud.google.com/run/docs/using-gcp-services ). I haven't tried to use those two together, but it seems like it would work. But it's more complicated than just turning IAP on for Cloud Run.

@dSights "Expect" is a bit strong. "Hope for" maybe. We're looking into it.

@dSights Yes. We're putting one together. Production is a long process, so please be patient.

@dSights Coming soon (given that video production takes some time)!

@@CharlesEngelke Hoping to see that demo soon. I've tried to setup the LB with IAP. working fine with App engine. But not with Cloud Run (Getting Forbidden Error). Not sure what is the missing piece

That's great to hear, Baptiste!

Kate, would you mind explaining what you mean by "300 unknowns" on your GMail account? What problem are you trying to solve?

300 third party advertisers apps on Gmail accounts. As a user I have no idea who they are and there are too many of them. Google dealing with this? Protesting! Right of reply is impossible with Google.

You'd run squid on a Compute Engine virtual machine? You can put IAP in front of Compute Engine. Search for the article "Setting up IAP for Compute Engine". But I'm afraid I haven't done this myself because I usually lean on a serverless platform for proxying and caching.