Cloud Run Services
Repo: iac-access
| Service | Name | Audience |
|---|---|---|
| Admin API | svc-access | Authenticated admin operations |
| Public API | svc-access-public | Magic links, verification, client self-service |
Both services are in europe-west1, behind Cloud Run's internal ingress (no public IP). They receive requests from cf-proxy carrying a GCP identity token issued for the gateway VM's service account (cf-tunnel-gateway@eigenoid-dev.iam.gserviceaccount.com).
IAM requirement
Every Cloud Run service behind this gateway must grant roles/run.invoker to the gateway SA:
# In iac-access or the service's IaC repo
resource "google_cloud_run_v2_service_iam_member" "gateway_invoker" {
project = var.iac_project
location = var.location
name = google_cloud_run_v2_service.my_service.name
role = "roles/run.invoker"
member = "serviceAccount:cf-tunnel-gateway@${var.iac_project}.iam.gserviceaccount.com"
}
Related pages
- Authentication flow — how cf-proxy obtains the GCP identity token
- Adding a new API — full checklist for new services