--- title: Enabling App and API Protection for Google Cloud Run functions in Python description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > App and API Protection > Enabling App and API Protection > Setup App and API Protection on Google Cloud Run functions > Enabling App and API Protection for Google Cloud Run functions in Python --- # Enabling App and API Protection for Google Cloud Run functions in Python {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} {% alert level="info" %} AAP support for Google Cloud Run is in Preview. {% /alert %} ## How it works{% #how-it-works %} The `serverless-init` application wraps your process and executes it as a subprocess. It starts a DogStatsD listener for metrics and a Trace Agent listener for traces. It collects logs by wrapping the stdout/stderr streams of your application. After bootstrapping, `serverless-init` then launches your command as a subprocess. To get full instrumentation, ensure you are calling `datadog-init` as the first command that runs inside your Docker container. You can do this by setting it as the entrypoint, or by setting it as the first argument in CMD. ## Compatibility{% #compatibility %} {% alert level="info" %} Google Cloud Run support for App and API Protection serverless is in Preview. {% /alert %} **Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows](https://docs.datadoghq.com/actions/workflows.md) to block IPs in your [WAF](https://docs.datadoghq.com/security/application_security/waf-integration.md). ## Get started{% #get-started %} Add the following instructions and arguments to your Dockerfile. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init RUN pip install --target /dd_tracer/python/ ddtrace ENV DD_SERVICE=datadog-demo-run-python ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ENTRYPOINT ["/app/datadog-init"] CMD ["/dd_tracer/python/bin/ddtrace-run", "python", "app.py"] ``` ### Explanation{% #explanation %} 1. Copy the Datadog `serverless-init` into your Docker image. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ``` 1. Install the Datadog Python tracer. ```dockerfile RUN pip install --target /dd_tracer/python/ ddtrace ``` If you install the Datadog tracer library directly in your application, as outlined in the [manual tracer instrumentation instructions](https://docs.datadoghq.com/tracing/trace_collection/dd_libraries/python.md?tab=containers#instrument-your-application), omit this step. 1. (Optional) Add Datadog tags. ```dockerfile ENV DD_SERVICE=datadog-demo-run-python ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ``` 1. Change the entrypoint to wrap your application in the Datadog `serverless-init` process. **Note**: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration. ```dockerfile ENTRYPOINT ["/app/datadog-init"] ``` 1. Execute your binary application wrapped in the entrypoint, launched by the Datadog trace library. Adapt this line to your needs. ```dockerfile CMD ["/dd_tracer/python/bin/ddtrace-run", "python", "app.py"] ``` #### Alternative configuration{% #alt-python %} If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init RUN pip install --target /dd_tracer/python/ ddtrace ENV DD_SERVICE=datadog-demo-run-python ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 CMD ["/app/datadog-init", "/dd_tracer/python/bin/ddtrace-run", "python", "app.py"] ``` If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How `serverless-init` works. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init RUN pip install --target /dd_tracer/python/ ddtrace ENV DD_SERVICE=datadog-demo-run-python ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ENTRYPOINT ["/app/datadog-init"] CMD ["your_entrypoint.sh", "/dd_tracer/python/bin/ddtrace-run", "python", "app.py"] ``` As long as your command to run is passed as an argument to `datadog-init`, you will receive full instrumentation. ## Further reading{% #further-reading %} - [How App and API Protection Works](https://docs.datadoghq.com/security/application_security/how-it-works.md) - [OOTB App and API Protection Rules](https://docs.datadoghq.com/security/default_rules.md?category=cat-application-security) - [Troubleshooting App and API Protection](https://docs.datadoghq.com/security/application_security/troubleshooting.md) - [App and API Protection](https://docs.datadoghq.com/security/application_security/threats.md) - [Datadog Security extends compliance and threat protection capabilities for Google Cloud](https://www.datadoghq.com/blog/datadog-security-google-cloud/)