Enabling Cloud IAP for Compute Engine

This page explains how to secure a Compute Engine instance with Cloud Identity-Aware Proxy (Cloud IAP).

Before you begin

To enable Cloud IAP for Compute Engine, you'll need the following:

  • A GCP Console project with billing enabled.
  • A group of one or more Compute Engine instances, served by an HTTPS load balancer.
  • A domain name registered to the address of your load balancer.
  • Application code to verify that all requests have an identity.

If you don't have your Compute Engine instance set up already, see Setting up Cloud IAP for Compute Engine for a complete walkthrough.

Enabling Cloud IAP using the GCP Console

Configuring the OAuth consent screen

If you haven't configured your project's OAuth consent screen, you'll need to do so. An email address and product name are required for the OAuth consent screen.
  1. Go to the OAuth consent screen.
    Configure consent screen
  2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
  3. Enter the Product name you want to display.
  4. Add any optional details you'd like.
  5. Click Save.

To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.

Setting up Cloud IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with Cloud IAP.
  3. On the right side panel, next to Access, click Add.
  4. In the Add members dialog that appears, add the email addresses of groups or individuals who should have the IAP-Secured Web App User role for the project.

    The following kinds of accounts can be members:

    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • G Suite domains: example.com

    Make sure to add a Google account that you have access to.

  5. When you're finished adding members, click Add.

Creating OAuth credentials

  1. Go to the Credentials page.
    Go to the Credentials page
  2. On the Create credentials drop-down list, select OAuth client ID.
  3. Under Application type, select Web application.
  4. Add a Name and Authorized redirect URLs in the format of your_domain/_gcp_gatekeeper/authenticate, where your_domain is a domain that you want to access your Cloud IAP-enabled backend service from.
  5. When you're finished adding authorized redirect URLs, click Create, then click OK on the OAuth client window that appears.
  6. Under OAuth 2.0 client IDs, next to the credentials you created, click Download JSON on the right side. You'll use these credentials in a later step.

Adding authorized domains

To access your app from more domains later, follow the process below:

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Click More next to the resource to which you want to add a domain, then click Edit OAuth client.
  3. In the Credentials window that appears, under Authorized redirect URIs, add the domains in the format of your_domain/_gcp_gatekeeper/authenticate.
  4. When you're finished adding domains, click Save. You'll now be able to access your app from those domains with Cloud IAP turned on.

Turning on Cloud IAP

  1. On the Identity-Aware Proxy page, under Resource, find the load balancer that serves the instance group you want to restrict access to. To turn on Cloud IAP for a resource, click Off in the IAP column.
    • To enable Cloud IAP, at least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
  2. In the Turn on IAP window that appears, list all domains used to access the resource. Make sure to include the domain registered to the address of your load balancer.
  3. Click Turn On to confirm that you want the resource to be secured by Cloud IAP. After you turn on Cloud IAP, it requires login credentials for all connections to your load balancer, and only accounts with the IAP-Secured Web App User role on the project will be given access.

To access your app from more domains later, follow the process below:

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Click More next to the resource to which you want to add a domain, then click Edit OAuth client.
  3. In the Credentials window that appears, under Authorized redirect URIs, add the domains in the format of your_domain/_gcp_gatekeeper/authenticate.
  4. When you're finished adding domains, click Save. You'll now be able to access your app from those domains with Cloud IAP turned on.

Enabling Cloud IAP using Cloud SDK

This section describes how to use the gcloud command-line tool to turn on Cloud IAP for Compute Engine applications. Using the gcloud command-line tool to turn on Cloud IAP for App Engine is not yet supported. Use the App Engine quickstart instead.

Getting Cloud SDK

Before you set up your project and Cloud IAP, you'll need an up to date version of Cloud SDK. Get Cloud SDK.

Setting up your project

Select the project for which you want to enable Cloud IAP and set it up as follows:

  1. Go to the Instance groups page to make sure your instances are in an instance group.
  2. Define backend services.
  3. Set up load balancing.
  4. Set up an OAuth client:
    1. Go to API > Credentials and select the project for which you want to enable Cloud IAP.
    2. Set up your OAuth consent screen:
      1. Go to the OAuth consent screen.
        Configure consent screen
      2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
      3. Enter the Product name you want to display.
      4. Add any optional details you'd like.
      5. Click Save.

      To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.

    3. Under Credentials, click Create credentials > OAuth client ID.
    4. Under Application type select Web application, then add a Name and specify Authorized redirect URLs in the format of yourURL/_gcp_gatekeeper/authenticate.
    5. When you're finished entering details, click Create.
    6. In the OAuth client window that appears, make note of the client ID and client secret.

Enabling Cloud IAP

  1. Using the gcloud command-line tool, run gcloud auth login.
  2. Follow the URL that appears to sign in.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run gcloud config set project project_id for the project for which you want to enable Cloud IAP.
  5. To enable Cloud IAP, use the OAuth client ID and secret you created above and run gcloud compute backend-services update backend_service_name --global --iap=enabled,oauth2-client-id=client_id,oauth2-client-secret=client_secret.

After you enable Cloud IAP, you can use the gcloud command-line tool to manipulate Cloud IAP access policy using the Cloud IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation