Quickstart for Google Compute Engine Instances

This page explains how to secure a Google Compute Engine instance with Cloud Identity-Aware Proxy (Cloud IAP).

Before you begin

To complete this quickstart, you will need:
  • A Cloud Platform Console project with billing enabled.
  • A group of one or more Compute Engine instances, served by an HTTPS load balancer. Learn about Setting up a Load Balancer.
  • A domain name registered to the address of your load balancer.
  • Application code to verify that all requests have an identity. Learn about Getting the User's Identity.

Enabling Cloud IAP

  1. Go to the Cloud IAP admin page.
    Go to the Cloud IAP admin page
  2. If you don't already have an active project, you will be prompted to select the project you want to secure with Cloud IAP.
  3. If you haven't configured your project's OAuth consent screen, you'll be prompted to do so:
    1. Go to the OAuth consent screen.
      Configure consent screen
    2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
    3. Enter the Product name you want to display.
    4. Add any optional details you'd like.
    5. Click Save.
  4. Under Access, click Add to add members to the project. These members will be assigned the IAP access: HTTPS role on the current project, and will be able to access all of the project's Cloud IAP-secured resources.
    Members can be:
    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • G Suite domains: example.com
  5. In the list of Resources, locate the load balancer serving the instance group you want to restrict access to. Click in the IAP column to toggle Cloud IAP for that resource.
  6. In the Turn on IAP window that appears, list all domains used to access the resource. Make sure to include the domain registered to the address of your load balancer.
  7. Click Turn On to confirm that you want the resource to be secured by Cloud IAP. Once enabled, Cloud IAP requires login credentials for all connections to your load balancer, and only accounts with the IAP access: HTTPS role on this project will be given access.

If you want to access your app from more URLs later, go to API Manager > Credentials and edit the existing OAuth 2.0 client IDs:

  1. Click Edit OAuth client next to the client to which you want to add a URL.
  2. In the Credentials window that appears, under Authorized redirect URIs, add the URLs in the format of yourURL/_gcp_gatekeeper/authenticate.
  3. When you're finished adding URLs, click Save. You'll now be able to access your app from those URLs with IAP turned on.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Identity-Aware Proxy Documentation