diff --git a/blueprints/serverless/cloud-run-explore/main.tf b/blueprints/serverless/cloud-run-explore/main.tf
index 3bc1fbc67..5471446e9 100644
--- a/blueprints/serverless/cloud-run-explore/main.tf
+++ b/blueprints/serverless/cloud-run-explore/main.tf
@@ -49,7 +49,10 @@ module "cloud_run" {
     }
   }
   iam = {
-    "roles/run.invoker" = ["allUsers"]
+    "roles/run.invoker" = (local.gclb_create && var.iap.enabled
+      ? ["serviceAccount:${google_project_service_identity.iap_sa[0].email}"]
+      : ["allUsers"]
+    )
   }
   ingress_settings = var.ingress_settings
 }
@@ -183,3 +186,13 @@ resource "google_iap_web_iam_member" "iap_iam" {
   role    = "roles/iap.httpsResourceAccessor"
   member  = "user:${var.iap.email}"
 }
+
+# SA service agent for IAP, which invokes CR
+# Note:
+# Once created, this resource cannot be updated or destroyed. These actions are a no-op.
+resource "google_project_service_identity" "iap_sa" {
+  provider = google-beta
+  count    = local.gclb_create && var.iap.enabled ? 1 : 0
+  project  = module.project.project_id
+  service  = "iap.googleapis.com"
+}