An App Engine app that is a reverse proxy for a Cloud Run service.
Create an app.yaml file as described in crproxy.go. Then run
gcloud app deploy
Use gcloud's dev_appserver.py or deploy to a separate environment.
Authentication is done by the IAP (Identity-Aware Proxy). It should be restricted to members who need to access the Cloud Run service.
Since IAP does not allow fine-grained access control, this app implements a simple path-based authorization scheme described in auth.go. The ACLs for this scheme are stored in the default Firestore database in the auth collection. Modify the auth mappings when the set of users or URL paths changes.
When a user is added or removed, edit the “auth/users” Firestore document. Adding a user involves adding a new field with the user‘s email address. The value of the field is the user’s role:
The default is “reader”, so users with reader access don't need to be added.
Adding a path involves editing the “auth/paths” Firestore document. The new field‘s name is the path, and the value is the minimum user role that can access the path. The default minimum is “admin”. Use “reader” for paths that only read information, “writer” for paths that change the service’s state, and “admin” for paths that make serious changes.