Authenticate users with Google Accounts

This page walks you through deploying an App Engine standard or flexible environment application and securing it with Identity-Aware Proxy (IAP). The quickstart includes sample code for an App Engine standard environment web app that verifies a logged-in user's name. This quickstart uses Cloud Shell to clone and deploy the sample application. You can use this quickstart to enable IAP for your own App Engine standard environment or App Engine flexible environment app.

If you plan to serve resources from a content delivery network (CDN), see the best practices guide for important information.

When an App Engine application consists of multiple services, it is possible to configure different IAP permissions on the different services, including making only some of the services publicly-accessible while keeping the others protected.

To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.

  4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  5. Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.

Starting Cloud Shell

  1. Click Activate Cloud Shell at the top of the console window.

    A Cloud Shell session opens inside a new frame at the bottom of the console and displays a command-line prompt. It can take a few seconds for the shell session to be initialized.

    Cloud Shell session frame
  2. Enter the following in Cloud Shell to display the project IDs for your projects: 
    gcloud projects list
  3. Run the following command to set the default project, where YOUR-PROJECT-ID is the project ID you want to use for this quickstart: 
    gcloud config set project YOUR-PROJECT-ID

Getting the sample code

  1. Enter the following command in Cloud Shell to get the sample application:

    git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git

  2. Change to the directory that contains the sample code:

    cd python-docs-samples/appengine/standard_python3/hello_world/

Deploying the application

  1. Use gcloud to deploy the application to App Engine: 
    gcloud app deploy
  2. The target url: is displayed in the format https://YOUR_PROJECT_ID.appspot.com. To access your application, navigate to that URL in your web browser.

Enabling IAP

Selecting a project

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. If you don't already have an active project, you'll be prompted to select the project you want to secure with IAP. Select the project to which you deployed the sample application.

Configuring the OAuth consent screen

If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. An email address and product name are required for the OAuth consent screen.

  1. Go to the OAuth consent screen.
    Configure consent screen
  2. Under Support email, select the email address you want to display as a public contact. The email address must belong to the currently logged in user account or to a Google Group for which the currently logged in user is a manager or owner.
  3. Enter the Application name you want to display.
  4. Add any optional details you'd like.
  5. Click Save.

To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen.

Setting up IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the resource you wish to modify by checking the box to its left. On the right side panel, click Add Member.
  3. In the Add members dialog, add the email addresses of groups or individuals to whom you want to grant the IAP-secured Web App User role for the project.

    The following kinds of accounts can be members:

    • Google Account: user@gmail.com
    • Google Group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • G Suite domain: example.com

    Make sure to add a Google Account that you have access to.

    In order to make a resource publicly-accessible (while sibling resources are restricted), grant the IAP-secured Web App User role to `allUsers` or `allAuthenticatedUsers`. The difference between these two is explained in the Public access section.

  4. When you're finished adding members, click Add.

Turning on IAP

  1. On the Identity-Aware Proxy page, under HTTPS Resources, find the App Engine app you want to restrict access to. The Published column shows the URL of the app. To turn on IAP for the app,
    • To enable IAP, you need the appengine.applications.update, clientauthconfig.clients.create, and clientauthconfig.clients.getWithSecret permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, see Managing access to IAP-secured resources.
  2. To confirm that you want IAP to secure the application, click Turn On in the Turn on IAP window that appears. After you turn it on, IAP requires login credentials for all connections to your application.

Test user authentication

  1. Access the app URL from a Google account that you added to IAP with the IAP-secured Web App User role as described above. You should have unrestricted access to the app.

  2. Use an incognito window in Chrome to access the app and sign in when prompted. If you try to access the app with an account that isn't authorized with the IAP-secured Web App User role, you'll see a message saying that you don't have access.

What's next