Cloud Run Proxy
Cloud Run Proxy is a small proxy to assist in authenticating as an end-user to Google Cloud Run. It leverages Cloud Run's existing Cloud IAM integration to handle access.
By default, users with the Cloud Run Invoker role (
roles/run.invoker) have permission to call services. This is demonstrated multiple times in the Cloud Run documentation:
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://my-service.a.run.app/
This works great for stateless API calls, but what if you have a semi-long-running service or a web interface to access via the browser? This is where Cloud Run Proxy can help!
Cloud Run Proxy runs a localhost proxy that behaves exactly as if you're calling the URL directly, except that it adds your local user's authentication info (from gcloud).
If you're familiar with the Cloud SQL Proxy, it's like that, but for Cloud Run.
Note: you must install and authenticated to the Google Cloud SDK (gcloud) for the proxy to pull your authentication token. You local user must also have Cloud Run Invoker permissions on the target service.
Install the proxy:
go get github.com/sethvargo/cloud-run-proxy
Start the proxy:
cloud-run-proxy -host https://my-service.a.run.app
Point your browser or
Change the local bind address:
cloud-run-proxy -bind "127.0.0.1:1234"
Obligatory security note: do not bind to 0.0.0.0 or your public IP. Anyone on your network would then be able to access your service unauthenticated. Always bind to a loopback.
Override the token (useful if you don't have gcloud installed):
cloud-run-proxy -token "yc..."