Chapter 6. Service Identity and Authentication
In this chapter, I’ll explore Cloud Identity and Access Management (IAM). This is the platform service that lets you control permissions in your Google Cloud project.
Especially if you are building a more serious application, you’ll want to make sure that every Cloud Run service in your system only has the permissions to do exactly what it needs to do. In information security, this is also known as the principle of least privilege. It helps to reduce the impact of a vulnerability in one part of the system.
You’ll start by learning the concepts, and to put them into practice, I’ll show you how to deploy another demo application. The demo application features two Cloud Run services: a frontend and a backend. The frontend serves public traffic, and the backend can be invoked only by the frontend. To round out the example, I will also demonstrate how to run both services locally.
Cloud IAM Fundamentals
In order to do something useful with your application, you’ll often need to call other Cloud APIs: you’ll want to add a task to Cloud Tasks, upload a file to Cloud Storage, or connect with a Cloud SQL database. The Google Cloud APIs are protected by Cloud IAM, which verifies the identity of the caller and checks if they have permission to call the endpoint.
Roles
Permissions are granular and determine what operations can be performed on a resource. Permissions are usually tied to a specific API endpoint, such as “list all objects in a ...
Get Building Serverless Applications with Google Cloud Run now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.