API Key Authentication with Google Cloud API Gateway and Cloud Run

Create a Google Cloud Service Account

Our API Gateway is going to handle authenticating and communicating with the backend Cloud Run service, so we need to have a service account to handle that interaction. We could assign that service account the Cloud Run Invoker role at the project level, but I prefer to use more granular permissions and will grant that access only to a specific Cloud Run service we publish later in the tutorial.

---

Console Method

1. Browse to https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts?supportedpurview=project
2. Select the appropriate project
3. Click + CREATE SERVICE ACCOUNT at the top of the page
4. Enter a Service account name, Service account ID, and (optionally) Service account description
   • For this example, I’m using:
     • Service account name: API Gateway Demo Service Account
     • Service account ID: api-gateway-demo-service-accou
     • Service account description: Service account used for API Gateway demo
5. Click Done

Note that, as mentioned above, I didn’t grant it access to the project at this point.

---

Command Line Method

gcloud iam service-accounts create {{SERVICE_ACCOUNT_NAME}} \
  --description="{{DESCRIPTION}}" \
  --display-name="{{DISPLAY_NAME}}" \
  --project={{PROJECT_ID}}

Where:

• {{SERVICE_ACCOUNT_NAME}}: Name of the service account you’d like to create (e.g. api-gateway-demo-service-accou )
• {{DESCRIPTION}}: Optional description of the service account (e.g. “Service account used for API Gateway demo”)
• {{DISPLAY_NAME}}: Friendly descriptive name of the service account (e.g. “API Gateway Demo Service Account”)
• {{PROJECT_ID}} = Name of the Google Cloud project you’re using for the tutorial (e.g. api-gateway-key-auth-demo

---