{"slug": "get-started-with-the-claude-apps-gateway-for-google-cloud", "title": "Get started with the Claude apps gateway for Google Cloud", "summary": "Anthropic released the Claude apps gateway, a self-hosted service that centralizes identity, policy, cost, and routing for Claude Code clients on Google Cloud, enabling enterprise governance with per-developer usage attribution and spend caps.", "body_md": "Anthropic's agentic coding tool Claude Code has worked with Google Cloud for a while now. An individual developer could easily point `CLAUDE_CODE_USE_VERTEX=1`\n\nat a Google Cloud (GCP) project, grant the role `roles/aiplatform.user`\n\n, and inference stays inside your Google Cloud perimeter.\n\nThat flow works great when it’s just you, or a handful of engineers. But rolling it out across an organization forces you to deal with enterprise friction: you have to manage per-developer cloud credentials, push a `managed-settings.json`\n\nto every laptop over MDM, and not be verified with zero per-developer usage attribution or easily enforceable spend caps.\n\nThe Claude apps gateway closes that gap. It is a self-hosted service, shipped with the same claude binary, that sits directly between your local Claude Code clients and Google Cloud. This post breaks down exactly why you should run it and what a secure deployment looks like on Google Cloud.\n\n(Note: If you want to jump straight to the code, the full walkthrough lives in the [Claude apps gateway on Google Cloud docs](https://code.claude.com/docs/en/claude-apps-gateway-on-gcp).)\n\nRun the gateway to centralize the governance that developers and platform admins otherwise each carry alone such as identity, policy, cost, and routing. Here's what that looks like in practice.\n\n**Identity.** The `/login`\n\nrequest routes through your identity provider (IdP ) - Google Workspace or any OIDC/OpenID Connect one - and the gateway swaps the token for a short-lived session. No sensitive information lands on the developer’s laptop — such as service-account keys, API keys, or `ANTHROPIC_VERTEX_PROJECT_ID`\n\n. Onboarding is as simple as adding a user to an IdP group; offboarding by removing them, and their next session refresh fails on the spot.\n\n**Policy.** Your RBAC (role-based access control) rules live once in `gateway.yaml`\n\n, resolved per group and enforced server-side. The gateway re-checks `availableModels`\n\non every `/v1/messages`\n\ncall, so editing local `managed-settings.json`\n\nchanges nothing — and rule updates reach the whole fleet within the hour.\n\n**Telemetry.** Every `claude_code.token.usage`\n\nmetric carries the verified email and groups from the session JWT (signed session token), not the spoofable client-set `OTEL_RESOURCE_ATTRIBUTES`\n\n. The gateway ships them over OTLP/HTTP to a collector you run — Cloud Monitoring, Grafana, Datadog, whatever you use.\n\n**Spend limits.** Set daily, weekly, or monthly caps per user, group, or org via the admin API; the gateway meters tokens against a Cloud SQL ledger and returns a 429 at the cap. Costs are at list price, so treat them as a runaway-usage guardrail, not a bill reconciliation (committed-use discounts and negotiated rates don't show up).\n\n**Routing.** Calls go out under a single Cloud Run service identity. Set `region: global`\n\nfor Agent Platform's global endpoint, or add a second `upstreams:`\n\nentry to fail over on 5xx/429/timeout in list order. Either way, inference stays in your GCP project — quota, Data Processing Agreement, and billing all unchanged.\n\nA developer's local or deployed `claude`\n\nprocess sends inference traffic to the gateway over HTTPS. The gateway is a stateless container on Cloud Run as shown below.\n\nThe gateway validates its own session bearer — Google Workspace is only contacted at sign-in and token refresh — checks policy, and forwards the request to Agent Platform using the Cloud Run service account. Cloud SQL holds device-code sign-in state and the spend ledger; an OTLP collector receives the attributed metrics.\n\nThe full walkthrough, every gcloud command and the complete `gateway.yaml`\n\nreference, is in the [Claude apps gateway on Google Cloud docs](https://code.claude.com/docs/en/claude-gateway-on-gcp). The short version:\n\n**Step 1: Provision the GCP foundation** Enable the Agent Platform, Cloud SQL, and Secret Manager APIs; create a\n\n`claude-gateway`\n\nservice account with `roles/aiplatform.user`\n\n; stand up a small Cloud SQL Postgres database instance for state. The gateway authenticates to Agent Platform as the Cloud Run service identity — you do `client_id`\n\n` and `\n\n`client_secret`\n\nfor that handshake. Those two values feed the `oidc`\n\n: block in the next step. You'll later add the authorized redirect URI once the gateway URL is known.**Step 2: Configure the gateway** Write\n\n`gateway.yaml`\n\npointing at your Google Workspace OIDC client, the Postgres connection string, and Agent Platform as the upstream. Store it in Secret Manager, along with the OIDC client secret, the Postgres URL, and a JWT signing key.Then register `https://<public_url host>/oauth/callback`\n\nas an authorized redirect URI on the Google OAuth client — it must match listen.public_url exactly:\n\n**Step 3: Deploy to Cloud Run**\n\n`gcloud run deploy`\n\nwith the service account attached, the Cloud SQL connection on the VPC, and the config mounted from Secret Manager. The container is stateless and scales horizontally behind the Cloud Run load balancer. GKE works equally well if that's already your platform, and only the deployment manifest changes.Developers connect over the corporate network; you may front the service with an internal Application Load Balancer — [see Cloud Run private networking](https://cloud.google.com/run/docs/securing/private-networking).\n\nEither public or internal, your developers must be able to access whatever URL you configure or you can rely on the default URL from Cloud Run. For the below example we will use [https://claude-gateway.example.internal](https://claude-gateway.example.internal)\n\n**Step 4: Onboard a developer** Push\n\n`forceLoginMethod: \"gateway\"`\n\nand `forceLoginGatewayUrl`\n\n` `\n\nto developer machines via managed settings. This is how` `\n\n`/login`\n\nknows where to connect, with no manual URL entry. For an org rollout, that's your MDM channel. For a first trial without MDM, the developer can write the file by hand at `/Library/Application Support/ClaudeCode/managed-settings.json`\n\non macOS (or `/etc/claude-code/managed-settings.json`\n\n` `\n\non Linux) if they have local admin permissions:At Claude Code startup, the developer then presses Enter on the pre-filled gateway sign-in screen to confirm the URL.Confirm the device code on the gateway's verification page in the browser, and get redirected to Google Workspace to sign in. After that, the developer completes the device-code flow in the browser against Google Workspace. If setup ends correctly, you will be able to see Cloud Gateway in the terminal view as shown below.\n\nAt this point you should have a better understanding of how to configure and use [Claude apps gateway on Google Cloud](https://code.claude.com/docs/en/claude-apps-gateway-on-gcp). Here are some next steps you may want to consider:\n\n**Full config reference:** every `gateway.yaml`\n\nfield is in [claude-apps-gateway-config](https://code.claude.com/docs/en/claude-apps-gateway-config). Per-IdP setup and the GKE track live in [claude-apps-gateway-deploy](https://code.claude.com/docs/en/claude-apps-gateway-deploy) and [claude-apps-gateway-on-gcp](https://code.claude.com/docs/en/claude-apps-gateway-on-gcp).\n\n**Group-scoped policies:** front the gateway with a groups-capable IdP, set `groups_claim`\n\n, and add `match: { groups: [...] }`\n\npolicies above the catch-all to give different teams different model lists and tool permissions.\n\nFor now, thanks for reading! And if you have any additional questions or feedback, feel free to reach out on socials (Roy Arsan - [Linkedin](https://www.linkedin.com/in/arsan/), [X](https://x.com/RoyArsan) and Ivan Nardini - [LinkedIn](https://linkedin.com/), [X](https://x.com/))\n\nHappy building!", "url": "https://wpnews.pro/news/get-started-with-the-claude-apps-gateway-for-google-cloud", "canonical_source": "https://cloud.google.com/blog/topics/developers-practitioners/announcing-claude-apps-gateway-for-google-cloud/", "published_at": "2026-07-01 16:00:00+00:00", "updated_at": "2026-07-01 16:07:10.378228+00:00", "lang": "en", "topics": ["ai-tools", "ai-infrastructure", "ai-agents", "developer-tools"], "entities": ["Anthropic", "Claude Code", "Google Cloud", "Cloud Run", "Cloud SQL", "Google Workspace", "Agent Platform", "Secret Manager"], "alternates": {"html": "https://wpnews.pro/news/get-started-with-the-claude-apps-gateway-for-google-cloud", "markdown": "https://wpnews.pro/news/get-started-with-the-claude-apps-gateway-for-google-cloud.md", "text": "https://wpnews.pro/news/get-started-with-the-claude-apps-gateway-for-google-cloud.txt", "jsonld": "https://wpnews.pro/news/get-started-with-the-claude-apps-gateway-for-google-cloud.jsonld"}}