Use authorization policies to delegate authorization to IAP and IAM

This page describes how to use authorization policies to designate Identity-Aware Proxy (IAP) as the custom authorization engine in an authorization policy for Application Load Balancers.

To delegate authorization to IAP and Identity and Access Management (IAM), you authorize traffic to a forwarding rule based on IAM or end-user identities for managed load balancers. This lets you enforce IAP-based access control for your backend services.

Before you begin

Create the authorization policy and enable IAP

To create an authorization policy, you create a policy file that defines the target and rules, and then enable IAP on the forwarding rule.

gcloud

  1. Run the following command to prepare a policy.yaml file.
$ cat << EOF > policy.yaml
action: CUSTOM
description: authz policy with Cloud IAP
name: AUTHZ_POLICY_NAME
customProvider:
  cloudIap: {}
target:
  loadBalancingScheme: EXTERNAL_MANAGED
  resources:
  - https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID
EOF
  1. Run the following command to enable IAP on a forwarding rule.
gcloud beta network-security authz-policies import AUTHZ_POLICY_NAME \
--source=policy.yaml \
--location=LOCATION \
--project=PROJECT_ID

Replace the following:

  • PROJECT_ID: The Google Cloud project ID.
  • LOCATION: The region that the resource is located in.
  • FORWARDING_RULE_ID: The ID of the forwarding rule resource.
  • AUTHZ_POLICY_NAME: The name of the authorization policy.

API

  1. Run the following command to prepare a policy.json file.
    cat << EOF > policy.json
    {
    "name": "AUTHZ_POLICY_NAME",
    "target": {
    "loadBalancingScheme": "INTERNAL_MANAGED",
    "resources": [
    "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID"
    ],
    },
    "action": "CUSTOM",
    "httpRules": [],
    "customProvider": {
    "cloudIap": {}
    }
    }
    EOF
    
  2. Run the following command to enable IAP on a forwarding rule.

    curl -X PATCH \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Accept: application/json" \
    -H "Content-Type: application/json" \
    -d @policy.json \
    "https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/authzPolicies"
    

    Replace the following:

    • PROJECT_ID: The Google Cloud project ID.
    • LOCATION: The region that the resource is located in.
    • FORWARDING_RULE_ID: The ID of the forwarding rule resource.
    • AUTHZ_POLICY_NAME: The name of the authorization policy.

Apply permissions to resources

You can use the IAP API to apply IAM permissions to individual resources in an IAP-secured project. IAM permissions granted at a certain level apply to all of the levels underneath it. For example, a permission granted at the project level applies to all of the Google Cloud resources in the project.

Following are some example commands for configuring permissions. For more information, see gcloud alpha iap web set-iam-policy.

gcloud

In the example commands, replace POLICY_FILE with the path to a YAML formatted file that contains a valid policy. Following is an example YAML file:

bindings:
  members: user:example@example.com
  role: roles/iap.httpsResourceAccessor

Update the permission for who can access the forwarding rule resource

gcloud alpha iap web set-iam-policy POLICY_FILE [--organization=ORGANIZATION \
--folder=FOLDER --project=/PROJECT_ID \
--resource-type=RESOURCE_TYPE --service=SERVICE]

Configure permission at the organization level

gcloud alpha iap web set-iam-policy POLICY_FILE --organization=ORGANIZATION

Configure permission at the folder level

gcloud alpha iap web set-iam-policy POLICY_FILE --folder=FOLDER

Configure permission at the project level

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=iap_web

Configure permission for all global forwarding rules in a project

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=forwarding_rule

Configure permission for all forwarding rules in a project in a region

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \
--resource-type=forwarding_rule --region=REGION

Configure permission for a specific global forwarding rule in a project

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \
--resource-type=forwarding_rule --service=SERVICE

Configure permission for a specific forwarding rule in a project in a region

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \
--resource-type=forwarding_rule --service=SERVICE --region=REGION

API

Configure permission at the organization level

organization/ORGANIZATION

Configure permission at the folder level

folders/FOLDER

Configure permission at the project level

projects/PROJECT_ID

Configure permission for all global forwarding rules in a project

projects/PROJECT_ID/forwarding_rule

Configure permission for all forwarding rules in a project in a region

projects/PROJECT_ID/iap_web/forwarding_rule-REGION

Configure permission for a specific global forwarding rule in a project

projects/PROJECT_ID/iap_web/forwarding_rule/services/SERVICE

Configure permission for a specific forwarding rule in a project in a region

projects/PROJECT_ID/iap_web/forwarding_rule-REGION/services/SERVICE

Set the authorization policy

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @policy.json \
"https://iap.googleapis.com/v1/RESOURCE_NAME:setIamPolicy"

For policy.json, you can create the JSON file by running the following command. Update the values as needed.

cat << EOF > policy.json
{
  "bindings": {
     "members": "user:example@example.com",
     "role": "roles/iap.httpsResourceAccessor",
   }
}
EOF