Our deployment target for an application is Cloud Run with an Identity Aware Proxy in front of it. This app accesses other internal services using service to service authentication.
What patterns are available to support localhost development of the Cloud Run app so that it can reach the backing internal service?
Thanks!
There is no out of the box solution.
In fact, when you set the traffic "internal" you tell to Google Cloud "check if the traffic source comes from my current project VPCs or from VPC Service control perimeter". A kind of smart firewall rule.
Because you are not in the project or in the perimeter, your request will be denied. You have no other solution to make a rebound first in your project (or perimeter) and then call your service. You can use a VM proxy or a Cloud Run service that act as a proxy. In any case, you need to deploy an additional component in your dev project to make it possible
Other solution is to set the service external for development purpose, easiest and fastest to achieve
A latest solution is to run locally all your containers in a minikube environment. The problem here is you won't have IAP in front of your first Cloud Run. You will have to fake the information sent to it as it was IAP.