This page explains how to secure a Google Container Engine instance with Cloud Identity-Aware Proxy (Cloud IAP).
Before you beginTo complete this quickstart, you will need:
- A Cloud Platform Console project with billing enabled.
- A cluster of one or more Container Engine containers, served by an HTTPS load balancer. Learn about Setting up a Load Balancer.
- A domain name registered to the address of your load balancer.
- Application code to verify that all requests have an identity. Learn about Getting the User's Identity.
Enabling Cloud IAP
Go to the Cloud IAP admin page.
Go to the Cloud IAP admin page
- If you don't already have an active project, you will be prompted to select the project you want to secure with Cloud IAP.
- If you haven't configured your project's OAuth consent screen, you'll be prompted to do so:
Under Access, click Add to add members to the project. These members
will be assigned the
IAP access: HTTPSrole on the current project, and will be able to access all of the project's Cloud IAP-secured resources.
Members can be:
- Google Accounts: firstname.lastname@example.org
- Google Groups: email@example.com
- Service accounts: firstname.lastname@example.org
- G Suite domains: example.com
In the list of Resources, locate the load balancer serving the
container cluster you want to restrict access to. Click
in the IAP column to toggle Cloud IAP for that resource.
- At least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
- In the Turn on IAP window that appears, list all domains used to access the resource. Make sure to include the domain registered to the address of your load balancer.
- Click Turn On to confirm that you want
the resource to be secured by Cloud IAP. Once enabled, Cloud IAP requires login
credentials for all connections to your load balancer, and only accounts with
IAP access: HTTPSrole on this project will be given access.
If you want to access your app from more URLs later, go to API Manager > Credentials and edit the existing OAuth 2.0 client IDs:
- Click Edit OAuth client next to the client to which you want to add a URL.
- In the Credentials window that appears, under Authorized redirect URIs, add the URLs
in the format of
- When you're finished adding URLs, click Save. You'll now be able to access your app from those URLs with IAP turned on.