This page provides the steps to migrate from using OAuth 2.0 clients created using the Identity-Aware Proxy (IAP) OAuth 2.0 Admin API to using a Google-managed OAuth 2.0 client that is deployed by IAP.
As of January 22, 2025, the IAP OAuth 2.0 Admin API, which is used to create an IAP OAuth 2.0 client, is deprecated, because you no longer have to create and manage OAuth clients. IAP now automatically deploys a Google-managed OAuth 2.0 client when an OAuth client is not configured. The Google-managed OAuth 2.0 client restricts access to IAP-enabled applications to users within the same organization when they access those applications through a browser.
With the deprecation of the Identity-Aware Proxy (IAP) OAuth 2.0 Admin API, you can no longer create or manage new OAuth clients. OAuth clients created before this deprecation won't be invalidated. You can continue to use OAuth clients that you previously created, and manage those clients using the Google Cloud console.
If you don't require a consistent integration with all IAP-enabled resources using the Google-managed OAuth client, you don't have to migrate resources that you enabled with IAP before the deprecation.
If you use programmatic access to protect your applications and resources with IAP, you cannot use the Google-managed OAuth 2.0 client. You must create OAuth clients using the console or use a service account.
Required actions
Migrate existing IAP-enabled resources
If you used the IAP OAuth 2.0 Admin APIs to create and manage an OAuth 2.0 client to enable IAP on your applications or Google Cloud resources, you must migrate those applications and Google Cloud resources in order to use the Google-managed OAuth 2.0 client.
Enable IAP on new resources
If you are enabling IAP on a resource for the first time and you don't have an OAuth client configured, complete the following procedures to enable IAP with the automatically deployed Google-managed OAuth client:
- Enabling IAP for App Engine
- Enabling IAP for Cloud Run
- Enable IAP for Compute Engine
- Enable IAP for Google Kubernetes Engine: Enable IAP with the Google-managed OAuth client
Migrate IAP-enabled resources
To migrate your resources to use the Google-managed OAuth 2.0 client, follow the steps for the type of resource, such as a Compute Engine resource, that you want to migrate.
Migrate IAP-enabled App Engine resources
Complete the steps in this section to migrate App Engine resources where IAP is enabled and an OAuth 2.0 client is configured.
gcloud
Before you continue to the steps, ensure that you have an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.
Use the Google Cloud CLI to authenticate.
gcloud auth loginClick the URL that appears and sign in.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the applications that you want to continue to protect with IAP.
gcloud config set project PROJECT_IDTo migrate your apps, run the following command.
gcloud iap web enable --resource-type=app-engine
API
Run the following command to prepare a
settings.jsonfile.cat << EOF > settings.json { "iap": { "enabled":true } } EOFRun the following command to migrate your apps.
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @settings.json \ "https://appengine.googleapis.com/v1/apps/<var>PROJECT_ID</var>?updateMask=iap"
Migrate IAP-enabled Compute Engine resources
Complete the steps in this section to migrate Compute Engine resources where IAP is enabled and an OAuth 2.0 client is configured.
gcloud
Before you continue to the steps, ensure that you have an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.
Use the Google Cloud CLI to authenticate.
gcloud auth loginClick the URL that appears and sign in.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the applications that you want to continue to protect with IAP.
gcloud config set project PROJECT_IDTo migrate your applications, run either the globally or regionally scoped command.
Global scope
gcloud compute backend-services update BACKEND_SERVICE_NAME \ --global \ --iap=enabled,oauth2-client-id=" ",oauth2-client-secret=" "Regional scope
gcloud compute backend-services update BACKEND_SERVICE_NAME \ --region REGION_NAME \ --iap=enabled,oauth2-client-id=" ",oauth2-client-secret=" "To confirm that the OAuth client ID is not set, run the following global or regional scope command. After running the command, check the output to ensure that the OAuth client ID field is empty.
Global scope
gcloud compute backend-services describe BACKEND_SERVICE_NAME \ --globalRegional scope
gcloud compute backend-services describe BACKEND_SERVICE_NAME \ --region REGION_NAME
API
Run the following command to prepare a
settings.jsonfile.cat << EOF > settings.json { "iap": { "enabled":true, "oauth2ClientId": " ", "oauth2ClientSecret": " " } } EOFRun the following command to migrate your IAP resources.
Global scope
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @settings.json \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE_NAME"
Regional scope
curl -X PATCH
-H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @settings.json \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/backendServices/BACKEND_SERVICE_NAME"To confirm that the OAuth client ID is not set, run the following global or regional scope command. After running the command, check the output to ensure that the OAuth client ID field is empty.
Global scope
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE_NAME"
Regional scope
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/backendServices/BACKEND_SERVICE_NAME"
Terraform
Clear the existing values for the OAuth client ID and secret. Example:
resource "google_compute_backend_service" "default" {
name = "tf-test-backend-service-external"
protocol = "HTTP"
load_balancing_scheme = "EXTERNAL"
iap {
oauth2_client_id = " "
oauth2_client_secret = " "
}
}
Migrate IAP-enabled Cloud Run resources
Complete the steps in this section to migrate Cloud Run resources where IAP is enabled and an OAuth 2.0 client is configured.
gcloud
Before continuing to the steps, ensure that you have an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.
To authenticate, use the Google Cloud CLI and run the following command.
gcloud auth loginClick the URL that appears and sign in.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the applications that you want to continue to protect with IAP.
gcloud config set project PROJECT_IDTo migrate your resources, run either the globally or regionally scoped command.
Global scope
gcloud compute backend-services update BACKEND_SERVICE_NAME \ --global \ --iap=enabled,oauth2-client-id=" ",oauth2-client-secret=" "Regional scope
gcloud compute backend-services update BACKEND_SERVICE_NAME \ --region REGION_NAME \ --iap=enabled,oauth2-client-id=" ",oauth2-client-secret=" "To confirm that the OAuth client ID is not set, run the following global or regional scope command. After running the command, check the output to ensure that the OAuth client ID field is empty.
Global scope
gcloud compute backend-services describe BACKEND_SERVICE_NAME \ --globalRegional scope
gcloud compute backend-services describe BACKEND_SERVICE_NAME \ --region REGION_NAME
API
Run the following command to prepare a
settings.jsonfile.cat << EOF > settings.json { "iap": { "enabled":true, "oauth2ClientId": " ", "oauth2ClientSecret": " " } } EOFRun the following command to migrate your resources.
Global scope
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @settings.json \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE_NAME"
Regional scope
curl -X PATCH
-H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @settings.json \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/backendServices/BACKEND_SERVICE_NAME"To confirm that the OAuth client ID is not set, run the following global or regional scope command. After running the command, check the output to ensure that the OAuth client ID field is empty.
Global scope
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/backendServices/BACKEND_SERVICE_NAME"
Regional scope
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/regions/REGION_NAME/backendServices/BACKEND_SERVICE_NAME"
Migrate IAP-enabled Google Kubernetes Engine resources
Add the following IAP block to the BackendConfig Custom Resource Definition (CRD). This enables IAP with the Google-managed OAuth 2.0 client.
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: config-default
namespace: my-namespace
spec:
iap:
enabled: true