This page describes how to use authorization policies to designate Identity-Aware Proxy (IAP) as the custom authorization engine in an authorization policy for Application Load Balancers.
To delegate authorization to IAP and Identity and Access Management (IAM), you authorize traffic to a forwarding rule based on IAM or end-user identities for managed load balancers. This lets you enforce IAP-based access control for your backend services.
Before you begin
- Understand authorization policies concepts.
- Ensure that the backend services of the forwarding rules don't have IAP enabled. If IAP is enabled, you receive an error when submitting your configuration.
- Enable the Network Services API.
Create the authorization policy and enable IAP
To create an authorization policy, you create a policy file that defines the target and rules, and then enable IAP on the forwarding rule.
gcloud
- Run the following command to prepare a
policy.yamlfile.
$ cat << EOF > policy.yaml
action: CUSTOM
description: authz policy with Cloud IAP
name: AUTHZ_POLICY_NAME
customProvider:
cloudIap: {}
target:
loadBalancingScheme: EXTERNAL_MANAGED
resources:
- https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID
EOF
- Run the following command to enable IAP on a forwarding rule.
gcloud beta network-security authz-policies import AUTHZ_POLICY_NAME \ --source=policy.yaml \ --location=LOCATION \ --project=PROJECT_ID
Replace the following:
- PROJECT_ID: The Google Cloud project ID.
- LOCATION: The region that the resource is located in.
- FORWARDING_RULE_ID: The ID of the forwarding rule resource.
- AUTHZ_POLICY_NAME: The name of the authorization policy.
API
- Run the following command to prepare a
policy.jsonfile.cat << EOF > policy.json { "name": "AUTHZ_POLICY_NAME", "target": { "loadBalancingScheme": "INTERNAL_MANAGED", "resources": [ "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID" ], }, "action": "CUSTOM", "httpRules": [], "customProvider": { "cloudIap": {} } } EOF Run the following command to enable IAP on a forwarding rule.
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @settings.json \ "https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/authzPolicies"
Replace the following:
- PROJECT_ID: The Google Cloud project ID.
- LOCATION: The region that the resource is located in.
- FORWARDING_RULE_ID: The ID of the forwarding rule resource.
- AUTHZ_POLICY_NAME: The name of the authorization policy.
Apply permissions to resources
You can use the IAP API to apply IAM permissions to individual resources in an IAP-secured project. IAM permissions granted at a certain level apply to all of the levels underneath it. For example, a permission granted at the project level applies to all of the Google Cloud resources in the project.
Following are some example commands for configuring permissions. For more
information, see gcloud alpha iap web set-iam-policy.
gcloud
In the example commands, replace POLICY_FILE with the path to a YAML formatted file that contains a valid policy. Following is an example YAML file:
policy:
bindings:
members: user:example@example.com
role: roles/iap.httpsResourceAccessor
Update the permission for who can access the forwarding rule resource
gcloud alpha iap web set-iam-policy POLICY_FILE [--organization=ORGANIZATION \ --folder=FOLDER --project=/PROJECT_ID \ --resource-type=RESOURCE_TYPE --service=SERVICE]
Configure permission at the organization level
gcloud alpha iap web set-iam-policy POLICY_FILE --organization=ORGANIZATION
Configure permission at the folder level
gcloud alpha iap web set-iam-policy POLICY_FILE --folder=FOLDER
Configure permission at the project level
gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=iap_web
Configure permission for all global forwarding rules in a project
gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=forwarding_rule
Configure permission for all forwarding rules in a project in a region
gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \ --resource-type=forwarding_rule --region=REGION
Configure permission for a specific global forwarding rule in a project
gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \ --resource-type=forwarding_rule --service=SERVICE
Configure permission for a specific forwarding rule in a project in a region
gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \ --resource-type=forwarding_rule --service=SERVICE --region=REGION
API
Configure permission at the organization level
organization/ORGANIZATION
Configure permission at the folder level
folders/FOLDER
Configure permission at the project level
projects/PROJECT_ID
Configure permission for all global forwarding rules in a project
projects/PROJECT_ID/forwarding_rule
Configure permission for all forwarding rules in a project in a region
projects/PROJECT_ID/iap_web/forwarding_rule-REGION
Configure permission for a specific global forwarding rule in a project
projects/PROJECT_ID/iap_web/forwarding_rule/services/SERVICE
Configure permission for a specific forwarding rule in a project in a region
projects/PROJECT_ID/iap_web/forwarding_rule-REGION/services/SERVICE
Set the authorization policy
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @policy.json \ "https://iap.googleapis.com/v1/RESOURCE_NAME:setIamPolicy"
For policy.json, you can create the JSON file by running the following
command. Update the values as needed.
cat << EOF > policy.json
{
"policy": {
"bindings": {
"members": "user:example@example.com",
"role": "roles/iap.httpsResourceAccessor",
}
}
}
EOF