Anthropic's Claude apps gateway replaces the per-developer credential sprawl with a self-hosted service that enforces RBAC, spend caps, and attributed telemetry from a single config file — no service-account keys ever touch a developer's laptop.
Why the old flow broke at org scale
Pointing CLAUDE_CODE_USE_VERTEX=1 at a GCP project works for one engineer. For fifty you're pushing managed-settings.json over MDM, managing per-user cloud IAM, and debugging spend attribution that's trivially spoofable through OTEL_RESOURCE_ATTRIBUTES. The gateway closes that gap: it's a stateless Cloud Run container shipped with the same claude binary that proxies every /v1/messages call through your own identity, policy, and metering layer.
What the gateway enforces server-side
Identity routes through any OIDC provider — Google Workspace or your own — and the gateway swaps the token for a short-lived session JWT. Onboarding is an IdP group add; offboarding is a removal, and the next session refresh dies instantly.
Policy lives in a single gateway.yaml. Role-based access control rules resolve per group and are checked on every request — editing local managed-settings.json changes nothing. Updates reach the whole fleet within the hour.
Telemetry finally carries verifiable identity. Every claude_code.token.usage metric includes the email and groups from the session JWT, not client-set environment variables. The gateway ships them over OTLP/HTTP to your collector — Cloud Monitoring, Grafana, whatever you run.
Spend limits work via an admin API: set daily, weekly, or monthly caps per user, group, or org. The gateway meters tokens against a Cloud SQL ledger and returns HTTP 429 at the cap. Cost is at list price, so treat it as a runaway-usage guardrail, not a bill reconciliation tool.
Deployment in four steps
Provision the GCP foundation: enable Agent Platform, Cloud SQL, and Secret Manager APIs; create a claude-gateway service account with roles/aiplatform.user; stand up a small Cloud SQL Postgres instance. No service-account key is created — the gateway authenticates as the Cloud Run identity.
Configure gateway.yaml with the OIDC client, Postgres connection string, and Agent Platform as the upstream. Store it in Secret Manager alongside the OIDC client secret, the Postgres URL, and a JWT signing key.
Deploy to Cloud Run — gcloud run deploy with the service account attached and the Cloud SQL connection on the VPC. The container scales horizontally. GKE works too; only the deployment manifest changes.
Onboard developers by pushing forceLoginMethod: "gateway" and forceLoginGatewayUrl via MDM or a managed-settings.json file. No manual URL entry. At startup Claude Code shows a pre-filled sign-in screen; the developer confirms, gets redirected to the IdP, and the gateway issues a session token.
The full gcloud commands and config reference live in the Claude apps gateway on Google Cloud docs. For group-scoped policies, set groups_claim and add match: { groups: [...] } policies above the catch-all — different teams get different model lists and tool permissions without touching a single developer machine.
Source: Get started with the Claude apps gateway for Google Cloud
Domain: cloud.google.com
Comments load interactively on the live page.