Migrate from the IAP OAuth Admin API

This page provides the steps to migrate from using OAuth 2.0 clients created using the Identity-Aware Proxy (IAP) OAuth 2.0 Admin API to using a Google-managed OAuth 2.0 client that is deployed by IAP.

As of January 22, 2025, the IAP OAuth 2.0 Admin API, which is used to create an IAP OAuth 2.0 client, is deprecated. The replacement is the Google-managed OAuth 2.0 client that is automatically deployed with IAP. This client restricts access to IAP-enabled applications to users within the same organization when they access those applications through a browser.

If you used the IAP OAuth 2.0 Admin APIs to create and manage an OAuth 2.0 client to enable IAP on your applications or Google Cloud resources, you must migrate those applications and Google Cloud resources to use the Google-managed OAuth 2.0 client.

If you did not previously configure an OAuth 2.0 client for your applications or Google Cloud resources, the Google-managed OAuth 2.0 client is automatically deployed when you enable IAP on your applications and resources.

If you use programmatic access to protect your applications and resources with IAP, you cannot use the Google-managed OAuth 2.0 client. You must use a service account.

Migrate IAP-enabled App Engine resources

Complete the steps in this section to migrate App Engine resources where IAP is enabled and an OAuth 2.0 client is configured.

gcloud

Before you continue to the steps, ensure that you have an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.

Use the Google Cloud CLI to authenticate.
```
gcloud auth login
```
Click the URL that appears and sign in.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the applications that you want to continue to protect with IAP.
```
gcloud config set project PROJECT_ID
```

To migrate your apps, run the following command.

gcloud iap web enable --resource-type=app-engine

API

Run the following command to prepare a settings.json file.

 cat << EOF > settings.json
 {
 "iap":
     {
       "enabled":true
     }
 }
 EOF

Run the following command to migrate your apps.

 curl -X PATCH \
 -H "Authorization: Bearer $(gcloud auth print-access-token)" \
 -H "Accept: application/json" \
 -H "Content-Type: application/json" \
 -d @settings.json \
 "https://appengine.googleapis.com/v1/apps/<var>PROJECT_ID</var>?updateMask=iap"

Migrate IAP-enabled Compute Engine resources

Complete the steps in this section to migrate Compute Engine resources where IAP is enabled and an OAuth 2.0 client is configured.

gcloud

Before you continue to the steps, ensure that you have an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.

Use the Google Cloud CLI to authenticate.
```
gcloud auth login
```
Click the URL that appears and sign in.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the applications that you want to continue to protect with IAP.
```
gcloud config set project PROJECT_ID
```

To migrate your applications, run either the globally or regionally scoped command.

Global scope


gcloud compute backend-services update BACKEND_SERVICE_NAME \
--global \
--iap=enabled

Regional scope


gcloud compute backend-services update BACKEND_SERVICE_NAME \
--region REGION_NAME \
--iap=enabled

API

Run the following command to prepare a settings.json file.

cat << EOF > settings.json
{
"iap":
     {
       "enabled":true
     }
}
EOF

Run the following command to migrate your IAP resources.

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @settings.json \
"https://compute.googleapis.com/compute/v1/projects/<var>PROJECT_ID</var>/<var>REGION</var>/backendServices/<var>BACKEND_SERVICE_NAME</var>"

Migrate IAP-enabled Cloud Run resources

Complete the steps in this section to migrate Cloud Run resources where IAP is enabled and an OAuth 2.0 client is configured.

gcloud

Before continuing to the steps, ensure that you have an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.

To authenticate, use the Google Cloud CLI and run the following command.
```
gcloud auth login
```
Click the URL that appears and sign in.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the applications that you want to continue to protect with IAP.
```
gcloud config set project PROJECT_ID
```

To migrate your resources, run either the globally or regionally scoped command.

Global scope


gcloud compute backend-services update BACKEND_SERVICE_NAME \
--global \
--iap=enabled

Regional scope


gcloud compute backend-services update BACKEND_SERVICE_NAME \
--region REGION_NAME \
--iap=enabled

API

Run the following command to prepare a settings.json file.

cat << EOF > settings.json
{
"iap":
     {
       "enabled":true
     }
}
EOF

Run the following command to migrat your resources.

curl -X PATCH \\
-H "Authorization: Bearer $(gcloud auth print-access-token)" \\
-H "Accept: application/json" \\
-H "Content-Type: application/json" \\
-d @settings.json \\
"https://compute.googleapis.com/compute/v1/projects/<var>PROJECT_ID</var>/<var>REGION</var>/backendServices/<var>BACKEND_SERVICE_NAME</var>"

Migrate IAP-enabled Google Kubernetes Engine resources

Add the following IAP block to the BackendConfig Custom Resource Definition (CRD). This enables IAP with the Google-managed OAuth 2.0 client.

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: config-default
  namespace: my-namespace
spec:
  iap:
    enabled: true