Securing Compute Engine apps and resources with IAP

This page explains how to secure a Compute Engine instance with Identity-Aware Proxy (IAP).

To secure resources not on Google Cloud, see Securing on-premises apps and resources.

Before you begin

To enable IAP for Compute Engine, you need the following:

A Google Cloud console project with billing enabled.
A group of one or more Compute Engine instances, served by a load balancer.
- Learn about Setting up an external HTTPS load balancer.
- Learn about setting up an internal HTTP load balancer.
A domain name registered to the address of your load balancer.
Application code to verify that all requests have an identity.
- Learn about Getting the user's identity.

If you don't have your Compute Engine instance set up already, see Setting up IAP for Compute Engine for a complete walkthrough.

Enabling IAP using the Google Cloud console

Configuring the OAuth consent screen

If you haven't configured your project's OAuth consent screen, you need to do so. An email address and product name are required for the OAuth consent screen.

Go to the OAuth consent screen.
Configure consent screen
Under Support email, select the email address you want to display as a public contact. The email address must belong to the currently logged in user account or to a Google Group for which the currently logged in user is a manager or owner.
Enter the Application name you want to display.
Add any optional details you'd like.
Click Save.

To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen.

Creating OAuth credentials

Go to the Credentials page.
Go to the Credentials page
In the Create credentials drop-down, select OAuth client ID.
Under Application type, select Web application.
Add a Name for your OAuth client ID.
Click Create.
Your OAuth client ID and client secret are generated and displayed on the OAuth client window.
In the Oauth client created dialog, copy the client ID to the clipboard.
Click OK.
Click the name of the client that you just created to reopen it for editing.
In the Authorized redirect URIs field, enter the following string:
```
https://iap.googleapis.com/v1/oauth/clientIds/CLIENT_ID:handleRedirect
```
where CLIENT_ID is the OAuth client ID you just copied to the clipboard.

Setting up IAP access

Go to the Identity-Aware Proxy page.
Go to the Identity-Aware Proxy page
Select the project you want to secure with IAP.
Select the checkbox next to the resource you want to grant access to.
On the right side panel, click Add principal.
In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.
The following kinds of principals can have this role:
- Google Account: user@gmail.com
- Google Group: admins@googlegroups.com
- Service account: server@example.gserviceaccount.com
- Google Workspace domain: example.com
Make sure to add a Google Account that you have access to.
Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
Click Save.

Turning on IAP

On the Identity-Aware Proxy page, under APPLICATIONS, find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource, toggle the on/off switch in the IAP column.
To enable IAP:
- At least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
- You need the compute.backendServices.update, clientauthconfig.clients.create, and clientauthconfig.clients.getWithSecret permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, see Managing access to IAP-secured resources.
In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.

Enabling IAP using Google Cloud SDK

This section describes how to use the gcloud command-line tool to turn on IAP for Compute Engine applications. Using the gcloud command-line tool to turn on IAP for App Engine is not yet supported. Use the App Engine quickstart instead.

Getting Google Cloud CLI

Before you set up your project and IAP, you need an up-to-date version of gcloud CLI. Get gcloud CLI.

Setting up your project

Select the project for which you want to enable IAP and set it up as follows:

Go to the Instance groups page to make sure your instances are in an instance group.
Define backend services.
Set up external or internal load balancing.
Set up an OAuth client:
1. Go to API > Credentials and select the project for which you want to enable IAP.
2. Set up your OAuth consent screen:
  Caution: Don't enter any confidential information on the OAuth consent screen. Any information you save to the OAuth consent screen may be publicly visible for anyone who accesses your URL. Email and product details are displayed on the login screen and when someone tries to access a resource for which they don't have permission.
  1. Go to the OAuth consent screen.
    Configure consent screen
  2. Under Support email, select the email address you want to display as a public contact. The email address must belong to the currently logged in user account or to a Google Group for which the currently logged in user is a manager or owner.
  3. Enter the Application name you want to display.
  4. Add any optional details you'd like.
  5. Click Save.
  To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen.
3. Under Credentials, click Create credentials > OAuth client ID.
4. Under Application type select Web application, then add a Name.
5. When you're finished entering details, click Create.
6. In the OAuth client window that appears, make note of the client ID and client secret.
7. Select the client again. Add the universal redirect URL to the authorized redirect URIs field in the format of https://iap.googleapis.com/v1/oauth/clientIds/CLIENT_ID:handleRedirect, where CLIENT_ID is the OAuth client ID.

Enabling IAP

Use the Google Cloud CLI to run gcloud auth login.
Follow the URL that appears to sign in.
After you sign in, copy the verification code that appears and paste it in the command line.
Run gcloud config set project PROJECT_ID for the project for which you want to enable IAP.
To enable IAP, use the OAuth client ID and secret you created previously and run either the globally or regionally scoped command.
- Global scope: gcloud compute backend-services update BACKEND_SERVICE_NAME --global --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET.
- Regional scope: gcloud compute backend-services update BACKEND_SERVICE_NAME --region REGION_NAME --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET.

After you enable IAP, you can use the gcloud command-line tool to manipulate IAP access policy using the IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

Next steps

Set richer context rules by applying access levels.
See access requests by enabling Cloud Audit Logs.
Learn more about IAP.