Restrict access to your Live Translate deployment so only authorized Google accounts can use it. IAP intercepts requests and redirects users to Google Sign-In — only authorized users can access the app.
User → Cloud Run URL → Google Sign-In → IAP check → App (if authorized)
↓
403 Forbidden (if not)
Note: IAP locks down the entire app, including the attendee watch page. Every user (organizers and attendees) needs a Google account with access.
If your Google Cloud project is a standalone developer/personal project (i.e., not inside a Google Cloud Organization), enabling IAP via CLI or console will fail with:
"Empty Google Account OAuth client ID(s)/secret(s)"
This happens because Google cannot auto-generate a managed OAuth client ID without a configured OAuth Consent Screen (a "brand"). You must set this up once manually in the Cloud Console:
- Go to the Google Cloud Console OAuth Consent Screen.
- Select External (Internal is only available for Organization projects) and click Create.
- Fill in the required fields:
- App name:
Live Translate(or any name you choose) - User support email: Your email address
- Developer contact information: Your email address
- App name:
- Click Save and Continue (you don't need to add scopes or test users for this simple setup).
- Once the consent screen is created, go to the Cloud Run Console.
- Click on your
live-translateservice, go to the Security tab, and toggle Identity-Aware Proxy (IAP) off and then back on. This forces Google Cloud to automatically provision the managed OAuth client using your newly configured consent screen!
gcloud run deploy live-translate \
--source . \
--region us-central1 \
--no-allow-unauthenticated \
--iap \
--min-instances 0 \
--max-instances 1 \
--timeout 3600 \
--no-cpu-throttling \
--set-secrets "\
GEMINI_API_KEY=gemini-api-key:latest,\
LIVEKIT_API_KEY=livekit-api-key:latest,\
LIVEKIT_API_SECRET=livekit-api-secret:latest" \
--set-env-vars "\
LIVEKIT_URL=$LIVEKIT_URL"To enable IAP on an existing deployment:
gcloud run services update live-translate --region us-central1 --iapWhen IAP is enabled, users must have the IAP-secured Web App User role (roles/iap.httpsResourceAccessor) to gain access. Use gcloud iap web to grant this:
gcloud iap web add-iam-policy-binding \
--member="user:alice@gmail.com" \
--role="roles/iap.httpsResourceAccessor" \
--region=us-central1 \
--resource-type=cloud-run \
--service=live-translategcloud iap web add-iam-policy-binding \
--member="domain:your-company.com" \
--role="roles/iap.httpsResourceAccessor" \
--region=us-central1 \
--resource-type=cloud-run \
--service=live-translategcloud iap web add-iam-policy-binding \
--member="group:team@your-company.com" \
--role="roles/iap.httpsResourceAccessor" \
--region=us-central1 \
--resource-type=cloud-run \
--service=live-translateTo see who has access to the IAP policy for your service:
gcloud iap web get-iam-policy \
--region=us-central1 \
--resource-type=cloud-run \
--service=live-translategcloud iap web add-iam-policy-binding \
--member="user:newuser@gmail.com" \
--role="roles/iap.httpsResourceAccessor" \
--region=us-central1 \
--resource-type=cloud-run \
--service=live-translategcloud iap web remove-iam-policy-binding \
--member="user:olduser@gmail.com" \
--role="roles/iap.httpsResourceAccessor" \
--region=us-central1 \
--resource-type=cloud-run \
--service=live-translate-
Turn off IAP on the Cloud Run service:
gcloud run services update live-translate --region us-central1 --no-iap
-
Re-enable public access on the Cloud Run IAM policy:
gcloud run services add-iam-policy-binding live-translate \ --region us-central1 \ --member="allUsers" \ --role="roles/run.invoker"