The first is a service that hosts a webpage (UI) that runs on the client browser.
The second is a service that hosts APIs currently running on Python.
The webpage invokes the APIs endpoints
I want to implement IAP authentication on both services, so that we can expose both of them securely.
Basically we want to authenticate the user when he opens the webpage, then use the IAP token to make the necessary API calls to the other cloud run service that hosts the APIs.
Are there any guidelines for this kind of implementation?
For your scenario, the most direct approach is to enable IAP on both your UI and API Cloud Run services. Ensure that both services are accessible under the same domain or subdomain to allow the browser to automatically handle the IAP cookie for API calls. If you face cross-domain issues, consider setting up a Load Balancer with IAP in front of both services.
Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.