Menu
We plan to build a web client (Angular) for our project. Our Backend will be a lot of google cloud run services. How can we make sure that these services can only be called by this web application? I understand that there are Service Account, which I can use to limit access to Cloud Run services, but how do I do that in a purely JavaScript application and without a logged in user. I just want to authenticate the application not the user. Any advise or samples?
951
asked Oct 18 '25 20:10
TL;DR: The application authentication and authorization level is managed by service account. But putting a service account key file in your Javascript app (and thus viewable by any user in their browser) is useless because your secret becomes public!
With Cloud Run, you have 2 mode: private and public
If public, no security, all the requests go to your Cloud Run service
If private, Google Front End check the identity of the requester and if they have the run.invoker permission. If so, the request pass through, else it's blocked.
For being authenticated, today, you need a service account. If you aren't on Google Cloud Platform (here in the browser of the users for example), you need a service account key file. But, if you put it in your website, it's not secure because anyone can take it and use it outside your website.
So, today, you can't do this: Either your Cloud Run is public, without any check, or private with authentication (and IAM authorization)
But, soon, at least in 2020 I hope, you should be able to put a load balancer in front of Cloud Run and to activate IAP on it. Thus, the users will be authenticated thanks to their Google account authentication cookie (SSO). However, in private mode in your browser, the user will be asked for being authenticated before going to the website. It's not authentication free, it's just authentication not manage by your own.
109
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
