I want to run a Cloud Run service behind an external HTTPS LB and IAP. After setting everything up, I still get a 403 Forbidden when trying to access the Service via the URL pointing to the LB (after IAP login pops up and I sign in). I presume this is because the Cloud Run service Auth configuration is set to 'Require Authentication' and according to Google Documentation it needs to be 'Allow Unauthenticated Invocations'. Unfortunately, according to an Organization policy, this is not possible.
However, I noticed I have another Cloud Run service (in another Organization) with basically the same setup (HTTPS LB and IAP enabled for the service), and here I can access the Service through the IAP even though the Cloud Run Service is set to 'Require Authentication'. So there seems to be a way to have a Cloud Run Service with Authentication AND IAP, but I can't figure out how (or why it works for one service and not for the other one). What could be the reason for that?
I had a similar setup - Internal application LB protected with identity aware proxy (IAP) in front of our Cloud Run services (backend NEG was correctly configured). My organization required Cloud Run security configuration to be set to “require authorization”.
I was debugging for a couple days because I was able to hit the url of the LB, which kicked off the oauth flow, successfully log me in and I could see the IAP cookie header was passed and was displayed in the browser request (developer tools-> network-> request/response headers)… but still would get the “Forbidden” error.
Anyway, for me this was finally solved by an item which was misleading listed under known limitations of the documentation. Hope this saves other people that run into this some time.
TLDR: Your service account for the project might need to have the CloudRun Invoker role added
IAP does not secure the domain that Cloud Run provides for a deployed service. To ensure that only IAP has permission to access the service, use IAM authentication on the Cloud Run service. To allow IAP to access the Cloud Run service, grant the IAP service account role service-[PROJECT_NUMBER]@gcp-sa-iap.iam.gserviceaccount.com with the Cloud Run Invoker role. IAP generates an ID token, and uses the token to authenticate to Cloud Run using the X-Serverless-Authorization header