惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Recorded Future
Recorded Future
C
Cyber Attacks, Cyber Crime and Cyber Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
Cyberwarzone
Cyberwarzone
C
CERT Recently Published Vulnerability Notes
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Palo Alto Networks Blog
Google Online Security Blog
Google Online Security Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
WordPress大学
WordPress大学
博客园 - 聂微东
L
LINUX DO - 最新话题
月光博客
月光博客
小众软件
小众软件
T
Troy Hunt's Blog
A
Arctic Wolf
量子位
I
Intezer
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
S
Schneier on Security
Schneier on Security
Schneier on Security
NISL@THU
NISL@THU
T
Threat Research - Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园_首页
有赞技术团队
有赞技术团队
N
News and Events Feed by Topic
美团技术团队
The Cloudflare Blog
P
Privacy International News Feed
S
Security Affairs
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY
N
News | PayPal Newsroom
Apple Machine Learning Research
Apple Machine Learning Research
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
L
LINUX DO - 热门话题
V
Vulnerabilities – Threatpost
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
宝玉的分享
宝玉的分享
Application and Cybersecurity Blog
Application and Cybersecurity Blog
IT之家
IT之家
Hacker News: Ask HN
Hacker News: Ask HN
雷峰网
雷峰网

Security & Identity

Cloud CISO Perspectives: How AI leverages deep context as the defender’s advantage | Google Cloud Blog Introducing k8s-aibom on GKE for automated AI bills of materials | Google Cloud Blog Contributing to U.K. financial sector resilience as a critical third party | Google Cloud Blog Meet the 33 cybersecurity startups joining the Gemini Startup Forum | Google Cloud Blog Drive proactive security, prioritize risks with Google Threat Intelligence and Wiz ASM | Google Cloud Blog Shift into high gear with agents: Securing the software-defined vehicle | Google Cloud Blog New IDC study: How Mandiant transforms security into a competitive advantage | Google Cloud Blog Google Cloud confirmed to offer a safer choice for EU public sector organizations with Dutch DPIA approval | Google Cloud Blog Cloud CISO Perspectives: How Google Cloud Security uses AI internally | Google Cloud Blog Securing agentic AI: What's new in VPC Service Controls | Google Cloud Blog Verifiable trust in the AI era: What’s new in Confidential Computing | Google Cloud Blog Choice, compliance, and collaboration: Europe’s path to open digital sovereignty | Google Cloud Blog Driving the UK’s next chapter: From AI potential to agentic reality | Google Cloud Blog Google named a Leader in IDC MarketScape SIEM 2026 Vendor Assessment | Google Cloud Blog Cloud CISO Perspectives: The 4 lessons that guided AI Threat Defense | Google Cloud Blog Powering the next era of Confidential AI Detecting and containing AI-powered threats with Google Security Operations agents Cloud CISO Perspectives: How to build an AI-ready security program for the public sector Introducing Google AI Threat Defense to help you outpace the adversary Cloud CISO Perspectives: How Google + Wiz changes multicloud strategy for CISOs Why cloud infrastructure is the foundation for digital health in 2026 Beyond source code: The files AI coding agents trust — and attackers exploit What's new in IAM: Security, governance, and runtime defense Google named a Leader in the 2026 Gartner Magic Quadrant for Cyberthreat Intelligence Technologies Introducing Agent Gateway ISV ecosystem for security and governance Cloud CISO Perspectives: At Next ‘26, why we’re multicloud and multi-AI Next ‘26: Redefining security for the AI era with Google Cloud and Wiz | Google Cloud Blog Introducing Google Cloud Fraud Defense, the next evolution of reCAPTCHA | Google Cloud Blog Next ‘26: Announcing new partner-supported workflows for Google Security Operations | Google Cloud Blog Cloud CISO Perspectives: How CISOs can pursue technical and cultural resilience (Q&A) | Google Cloud Blog Essential AI and cloud security now on by default Securing AI inference on GKE with Model Armor A Leader in Forrester Wave Sovereign Cloud Platform 2026 See beyond the IP and secure URLs with Google Cloud NGFW Cloud CISO Perspectives: RSAC: AI, security, and the workforce of the future How to build AI agents with Google-managed MCP servers Bringing dark web intelligence into the AI era RSAC ’26: Supercharging agentic AI defense with frontline threat intelligence Why context is the missing link in AI data security Welcoming Wiz to Google Cloud: Redefining security for the AI era Cloud CISO Perspectives: New Threat Horizons report highlights current cloud threats Google named a Leader in IDC MarketScape: U.S. SLG Professional Security Services Introducing the Google Cloud recommended security checklist Cloud CISO Perspectives: How Google approaches critical security topics, from fundamentals to AI Sovereignty and European competitiveness: A partnership-led approach to AI growth Cloud CISO Perspectives: New AI threats report: Distillation, experimentation, and integration Delivering a secure, open, and sovereign digital world Introducing Single-tenant Cloud HSM for more data encryption control Cloud CISO Perspectives: 5 top CISO priorities in 2026
IAP integration with Cloud Run
Ruchika Goel, Muthuraj Thangavel · 2026-03-13 · via Security & Identity

Cloud Run provides a powerful and scalable platform for deploying applications. Today, we’re introducing the general availability of two major enhancements to Cloud Run security: direct Identity-Aware Proxy (IAP) integration, and a way to allow public access to Cloud Run services that is compatible with Domain Restricted Sharing (DRS).

Introducing direct IAP on Cloud Run

IAP lets you easily control user access to applications running in Google Cloud. Integrating IAP with Cloud Run previously required you to manually configure application load balancers and other complex network settings. This added operational overhead detracted from Cloud Run's core promise of serverless simplicity.

That changes today! You can now enable IAP directly on Cloud Run in a single click, with no load balancers, and at no added cost. Google Cloud does not charge for IAP (with some exceptions), and it incurs no load balancer costs.

https://storage.googleapis.com/gweb-cloudblog-publish/images/image1_2ixZT56.max-700x700.png

Enable IAP authentication directly on a Cloud Run service

Why this matters:

  • Simplified enablement: Turn on IAP in the UI or with a single flag (--iap) through gcloud,  significantly simplifying deployments and saving valuable time and effort.

  • Enterprise-grade security for all web apps: Use IAP’s authentication and authorization policies based on user or group identities, as well as context-aware factors like IP address, geolocation, and device security status.

  • Support for Workforce Identity Federation: Easily manage access for your employees and partners using your existing identity providers.

  • Simplified Cross-Origin Resource Sharing (CORS): Configure IAP directly on Cloud Run to allow unauthenticated HTTP OPTIONS for CORS requests. This helps satisfy browser preflight checks while ensuring all other requests undergo authentication.

We are already seeing a big uptake in organizations adopting IAP to secure Cloud Run workloads, for example, at L’Oreal.

“L'Oréal relies on Google Cloud's Identity-Aware Proxy (IAP) as a critical layer of security, ensuring that access to every web application we host on Google Cloud is meticulously filtered and controlled. The beauty of IAP lies in its simplicity and effectiveness; it's a self-managed solution that's not only free but also exceptionally straightforward to implement across our diverse application landscape. This ease of deployment, combined with a security posture that surpasses what we could achieve with custom-built solutions, makes IAP an indispensable tool for protecting our digital assets.” - Antoine Castex, Group Data & A.I Architect, L'Oréal

Allow public access when using DRS

https://storage.googleapis.com/gweb-cloudblog-publish/images/image2_7lQZnDe.max-800x800.png

New simplified Cloud Run authentication UI

While IAP is the recommended authentication mechanism for internal business applications on Cloud Run, Cloud IAM remains essential for managing service-to-service communication. 

Historically, Cloud Run's default behavior was to perform an IAM check (run.invoker role) on every request to an HTTPS endpoint. While this provided a strong security baseline, it had the potential to become a bottleneck when the intent was to create public apps, particularly when organizations also enforced the Domain Restricted Sharing policy.

You can now disable this IAM "invoker" check by selecting “Allow Public access” for your applications. 

This gives you flexibility to rely on other security layers like organization policies, network-level controls, or custom authn/authz for your services. It also unlocks broader use cases:

  • Public websites: Host a store locator site on Cloud Run and make it accessible to everyone — even if your Org Policy restricts sharing (DRS enabled). You can do this by selecting “Allow Public access” and setting ingress to ‘All’.   
  • Private microservices: For services behind an internal ingress where network-level security is sufficient, you can bypass the IAM check by selecting “Allow Public access”.

“Bilt leverages the 'disable IAM' feature for multiple mission-critical Cloud Run services deployed in multi-regional topologies. By disabling IAM on these instances, we establish a direct, unimpeded path from our edge, while maintaining security using Cloud Armor on the global load balancer. This simplified approach reduces infrastructure complexity and provides a more performant solution while maintaining org-wide security posture through organizational policies.” - Kosta Krauth, CTO Bilt

Getting started

Ready to get started? You can easily enable IAP directly on Cloud Run.

Learn more:

Posted in