This page walks you through deploying an App Engine standard or flexible environment application and securing it with Cloud Identity-Aware Proxy (Cloud IAP). The quickstart includes sample code for an App Engine standard environment webapp that verifies a logged-in user's name. This quickstart uses Cloud Shell to clone and deploy the sample application. You can use this quickstart to enable Cloud IAP for your own App Engine standard environment or App Engine flexible environment app.
If you plan to serve resources from a content delivery network (CDN), see the best practices guide for important information.
Before you begin
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
Select or create a GCP project.
Make sure that billing is enabled for your project.
Starting Cloud Shell
Click Activate Cloud Shell at the top of the
A Cloud Shell session opens inside a new frame at the bottom of the console and displays a command-line prompt. It can take a few seconds for the shell session to be initialized.
Enter the following in Cloud Shell to display the project IDs for your
gcloud projects list
Run the following command to set the default project, where
YOUR-PROJECT-IDis the project ID you want to use for this quickstart:
gcloud config set project YOUR-PROJECT-ID
Getting the sample code
Enter the following command in Cloud Shell to get the sample application:
git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
Change to the directory that contains the sample code:
Deploying the application
gcloudto deploy the application to App Engine:
gcloud app deploy
target url:is displayed in the format
https://YOUR_PROJECT_ID.appspot.com. To access your application, navigate to that URL in your web brower.
Enabling Cloud IAP
Selecting a project
Go to the
Identity-Aware Proxy page.
Go to the Identity-Aware Proxy page
- If you don't already have an active project, you'll be prompted to select the project you want to secure with Cloud IAP. Select the project to which you deployed the sample application.
Configuring the OAuth consent screen
If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. An email address and product name are required for the OAuth consent screen.
Go to the OAuth consent screen.
Configure consent screen
- Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
- Enter the Product name you want to display.
- Add any optional details you'd like.
- Click Save.
To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.
Setting up Cloud IAP access
- Go to the Identity-Aware Proxy page.
Go to the Identity-Aware Proxy page
- On the right side panel, next to Access, click Add.
In the Add members dialog that appears, add the email
addresses of groups or individuals to whom you want to grant the
IAP-secured Web App User role for the project.
Members can be:
- Google Accounts: email@example.com
- Google Groups: firstname.lastname@example.org
- Service accounts: email@example.com
- G Suite domains: example.com
Make sure to add a Google account that you have access to.
- When you're finished adding members, click Add.
Turning on Cloud IAP
- On the Identity-Aware Proxy page, under Resource, find the App Engine app you want to restrict access to. The Published column shows the URL of the app. To turn on Cloud IAP for the app, click Off in the IAP column.
In the Turn on IAP window that appears, list all domains
used to access the resource.
Verify that the automatically added domain matches the
appspot.comdomain where you expect to serve your application.
Make sure to list non-default App Engine versions like
test-dot-app_name.appspot.comif you want to use them to access the app.
- Verify that the automatically added domain matches the
- To confirm that you want the application to be secured by Cloud IAP, click Turn On. After you turn it on, Cloud IAP requires login credentials for all connections to your application, and only accounts with the IAP-secured Web App User role on this project will be given access.
Access the app URL from the Google account that you added to Cloud IAP. You should have unrestricted access to the app.
Next, use an incognito window in Chrome to access the app and sign in when prompted. If you try to access the app with an account that isn't authorized, you'll see a You don't have access message.