Let me explain how to restrict access to Cloud Run other than by your internal users of Google Workspace. It's useful because we do not have to implement any login feature as our server implementation. I used this for our internal admin tool to shutout by external users.
Before you start, you need to setup a load balancer for your Cloud Run service and create OAuth consent screen. Please check my article if you have not set a load balancer up yet and check Configure the OAuth consent screen to create your OAuth consent screen.
Please go to Identity-Aware Proxy setting. You should see load balancers you have. Turn on IAP for your target load balancer which is connected to your target Cloud Run service.
Next, mark as checked the checkbox of the target load balancer. A side panel should show up in the right hand side. Please click the
ADD PRINCIPAL button.
Then add accounts that you want to let access to your Cloud Run service and set the
IAP-secured Web App User as the role. Click
Lastly, please make sure that your Cloud Run service requires authentication to access.
That's it! Now your Cloud Run service rejects access other than by users with your Google Workspace accounts. The steps are pretty simple but adding principal / role is the step that it's easy to forgot.