Zero-trust authentication with Google Identity-Aware Proxy - Classic IAP and Cloud Run IAP modes
iap
)oxy serve --auth-mode iap
X-Goog-IAP-JWT-Assertion
(JWT token)iap-cloud-run
)oxy serve --auth-mode iap-cloud-run
X-Goog-Authenticated-User-Email
, X-Goog-Authenticated-User-ID
Important: Cloud Run IAP mode trusts Google’s authentication headers directly and does not perform JWT token verification, as the Cloud Run environment guarantees these headers are authentic.
Dockerfile
:
X-Goog-IAP-JWT-Assertion
: JWT token (validated cryptographically)X-Goog-Authenticated-User-ID
: User ID (format: accounts.google.com:123456789
)X-Goog-Authenticated-User-Email
: User email (format: accounts.google.com:user@domain.com
)Security Note: Cloud Run IAP mode relies on Google Cloud Run’s infrastructure security to ensure these headers are authentic. The application does not perform cryptographic JWT validation.
Feature | Classic IAP | Cloud Run IAP |
---|---|---|
Command | --auth-mode iap | --auth-mode iap-cloud-run |
Infrastructure | Load Balancer + Backend | Cloud Run Direct |
Authentication | JWT Token Validation | Trusted Headers |
Security Level | High (Cryptographic) | High (Infrastructure) |
Setup Complexity | High | Low |
JWT Verification | ✅ Yes | ❌ No (trusts headers) |
Best For | Multi-service, Complex | Single service, Simple |