为 Compute Engine 启用 IAP

本页介绍如何使用 Identity-Aware Proxy (IAP) 保护 Compute Engine 实例。

准备工作

要为 Compute Engine 启用 IAP,您需要以下各项:

如果您尚未设置 Compute Engine 实例,请参阅为 Compute Engine 设置 IAP 以查看完整演示。

IAP 使用 Google 管理的 OAuth 客户端对用户进行身份验证。只有组织内的用户才能访问启用了 IAP 的应用。如果您想允许组织外部的用户访问,请参阅为外部应用启用 IAP

您可以在 Compute Engine 后端服务或 Compute Engine 转发规则上启用 IAP。在 Compute Engine 后端服务上启用 IAP 后,只有该后端服务受 IAP 保护。在 Compute Engine 转发规则上启用 IAP 后,转发规则背后的所有 Compute Engine 实例都将受到 IAP 保护。

为转发规则启用 IAP

您可以使用负载平衡器授权政策框架在转发规则上启用 IAP。

gcloud

  1. 运行以下命令以准备 policy.yaml 文件。
$ cat << EOF > policy.yaml
action: CUSTOM
description: authz policy with Cloud IAP
name: AUTHZ_POLICY_NAME
customProvider:
  cloudIap: {}
target:
  loadBalancingScheme: EXTERNAL_MANAGED
  resources:
  - https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID
EOF
  1. 运行以下命令可在转发规则上启用 IAP。
gcloud beta network-security authz-policies import AUTHZ_POLICY_NAME \
--source=policy.yaml \
--location=LOCATION \
--project=PROJECT_ID

替换以下内容:

  • PROJECT_ID: Google Cloud 项目 ID。
  • LOCATION:资源所在的区域。
  • FORWARDING_RULE_ID:转发规则资源的 ID。
  • AUTHZ_POLICY_NAME:授权政策的名称。

API

  1. 运行以下命令以准备 policy.json 文件。
    cat << EOF > policy.json
{
"name": "AUTHZ_POLICY_NAME",
"target": {
"loadBalancingScheme": "INTERNAL_MANAGED",
"resources": [
"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID"
],
},
"action": "CUSTOM",
"httpRules": [],
"customProvider": {
"cloudIap": {}
}
}
EOF

  2. 运行以下命令可在转发规则上启用 IAP。

    curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @policy.json \
"https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/authzPolicies"

    替换以下内容:

    • PROJECT_ID: Google Cloud 项目 ID。
    • LOCATION:资源所在的区域。
    • FORWARDING_RULE_ID:转发规则资源的 ID。
    • AUTHZ_POLICY_NAME:授权政策的名称。

在转发规则上启用 IAP 后,您可以向资源应用权限

在 Compute Engine 后端服务上启用 IAP

您可以通过 Compute Engine 后端服务在该后端服务上启用 IAP。

控制台

使用 Google Cloud 控制台启用 IAP 时,无法使用 Google 管理的 OAuth 客户端。

If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.

If you are running GKE clusters version 1.24 or later, you can configure IAP and GKE by using the Kubernetes Gateway API. To do so, complete the following steps and then follow the instructions in Configure IAP. Do not configure BackendConfig.

Setting up IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.

  3. Select the checkbox next to the resource you want to grant access to.

    If you don't see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controller is synced.

    To verify that the backend service is available, run the following gcloud command:

    gcloud compute backend-services list
  4. On the right side panel, click Add principal.
  5. In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of principals can have this role:

    • Google Account: user@gmail.com
    • Google Group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com

    Make sure to add a Google Account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.

Turning on IAP

  1. On the Identity-Aware Proxy page, under APPLICATIONS, find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource,
    To enable IAP:
    • At least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
    • You need the compute.backendServices.update, clientauthconfig.clients.create, and clientauthconfig.clients.getWithSecret permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, see Managing access to IAP-secured resources.
  2. In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.

gcloud

在设置项目和 IAP 之前,您需要最新版本的 gcloud CLI。如需了解如何安装 gcloud CLI,请参阅安装 gcloud CLI

  1. 如需进行身份验证,请使用 Google Cloud CLI 并运行以下命令。 
    gcloud auth login
  2. 如要登录,请按照显示的网址操作。
  3. 登录后,复制显示的验证码并将其粘贴到命令行中。
  4. 运行以下命令,指定包含您要使用 IAP 保护的资源的项目。 
    gcloud config set project PROJECT_ID
  5. 如需启用 IAP,请运行全局范围或区域范围的命令。

    全局范围 
    gcloud compute backend-services update BACKEND_SERVICE_NAME --global --iap=enabled
     区域范围 
    gcloud compute backend-services update BACKEND_SERVICE_NAME --region REGION_NAME --iap=enabled

启用 IAP 后,您可以使用 gcloud CLI 通过 IAM 角色 roles/iap.httpsResourceAccessor 修改 IAP 访问权限政策。详细了解如何管理角色和权限

API

  1. 运行以下命令以准备 settings.json 文件。

    cat << EOF > settings.json
{
"iap":
  {
    "enabled":true
  }
}
EOF

  2. 运行以下命令以启用 IAP。

    curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @settings.json \
"https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/REGION/backendServices/BACKEND_SERVICE_NAME"

启用 IAP 后,您可以使用 Google Cloud CLI 通过 IAM 角色 roles/iap.httpsResourceAccessor 修改 IAP 访问权限政策。详细了解如何管理角色和权限