Quickstart for App Engine

This page walks you through deploying a Google App Engine standard or flexible environment application and securing it with Cloud Identity-Aware Proxy (Cloud IAP). The quickstart includes sample code for an App Engine standard environment webapp that verifies a logged-in user's name. This quickstart uses Cloud Shell to clone and deploy the sample application. You can use this quickstart to enable Cloud IAP for your own App Engine standard or flexible app.

Before you begin

  1. Sign in to your Google account.

    If you don't already have one, sign up for a new account.

  2. Select or create a Cloud Platform project.

    Go to the Projects page

  3. Enable billing for your project.

    Enable billing

Starting Cloud Shell

  1. Click Activate Google Cloud Shell at the top of the console window. Activate Google Cloud Shell

    A Cloud Shell session opens inside a new frame at the bottom of the console and displays a command-line prompt. It can take a few seconds for the shell session to be initialized.

    Cloud Shell session
  2. Enter the following in Cloud Shell to display the project IDs for your projects:
    gcloud projects list
  3. Run the following command to set the default project, where YOUR-PROJECT-ID is the project ID you want to use for this quickstart:
    gcloud config set project YOUR-PROJECT-ID

Getting the sample code

  1. Enter the following command in Cloud Shell to get the sample application:

    git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
  2. Change to the directory that contains the sample code:

    cd python-docs-samples/appengine/standard/users/

Deploying the application

  1. Use gcloud to deploy the application to App Engine

    gcloud app deploy
  2. The target url: is displayed in the format https://[YOUR-PROJECT-ID].appspot.com. To access your application, navigate to that URL in your web brower.

Enabling Cloud IAP

  1. Go to the Cloud IAP admin page.
    Go to the Cloud IAP admin page
  2. If you don't already have an active project, you will be prompted to select the project you want to secure with Cloud IAP. Select the project to which you deployed the sample application.
  3. If you haven't configured your project's OAuth consent screen, you'll be prompted to do so:
    1. Go to the OAuth consent screen.
      Configure consent screen
    2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
    3. Enter the Product name you want to display.
    4. Add any optional details you'd like.
    5. Click Save.
    6. Go back to the Cloud IAP admin page.
      Go to the Cloud IAP admin page
  4. On the Identity-Aware Proxy page, under Access, click Add to add members to the project. These members will be assigned the IAP access: HTTPS role on the current project, and will be able to access all of the project's Cloud IAP-secured resources.

    Members can be:

    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • G Suite domains: example.com
    Add a Google account that you have access to.
  5. In the list of Resources, locate the App Engine app. Under the Published column you should see the URL of the app. Click in the IAP column to toggle Cloud IAP for that resource.
  6. In the Turn on IAP window that appears, list all domains used to access the resource.
    • Verify that the automatically added domain matches the appspot.comdomain where you expect to serve your application.
    • Make sure to list non-default App Engine versions like test. app_name.appspot.com if you want to use them to access the app.
  7. Click Turn On to confirm that you want the application to be secured by Cloud IAP. Once enabled, Cloud IAP requires login credentials for all connections to your application, and only accounts with the IAP access: HTTPS role on this project will be given access.

Test Access

  1. Access the app URL from the Google account which you added to IAP. You should have unrestricted access to the app.

  2. Next, use an incognito window in Chrome to access the app. You will be promped to log in. If you try to access the app with an account that isn't authorized, you'll see a You don't have access message.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Identity-Aware Proxy Documentation