在出现的开启 IAP 窗口中,点击开启以确认您想用 IAP 保护资源。开启 IAP 后,它需要向对负载平衡器的所有连接请求索要登录凭据。只有具有项目的 IAP-Secured Web App User 角色的账号才能获得访问权限。
gcloud
Before you set up your project and IAP, you need an up-to-date version of the
gcloud CLI. For instructions on how to install the gcloud CLI,
see Install the gcloud CLI.
To authenticate, use the Google Cloud CLI and run the following command.
gcloud auth login
To sign in, follow the URL that appears.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the resource that you want to protect with IAP.
gcloud config set project PROJECT_ID
To enable IAP, run either the globally or regionally scoped command.
After you enable IAP, you can use the gcloud CLI to modify
the IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis guide outlines the process of securing Compute Engine instances using Identity-Aware Proxy (IAP), which involves enabling IAP on either a backend service or a forwarding rule.\u003c/p\u003e\n"],["\u003cp\u003eTo enable IAP, you'll need a Google Cloud project with billing enabled, a load balancer serving Compute Engine instances, a registered domain name, and code to verify user identity.\u003c/p\u003e\n"],["\u003cp\u003eIAP utilizes a Google-managed OAuth client for user authentication, primarily allowing access to users within the organization, but can be configured for external users.\u003c/p\u003e\n"],["\u003cp\u003eIAP can be enabled on a Compute Engine forwarding rule using load balancer authorization policies, or directly on a backend service using the console, gcloud CLI, or API.\u003c/p\u003e\n"],["\u003cp\u003eOnce enabled, access to IAP-protected resources is managed by assigning the "IAP-Secured Web App User" role to specific Google accounts, groups, service accounts, or Google Workspace domains.\u003c/p\u003e\n"]]],[],null,["# Enable IAP for Compute Engine\n\nThis page explains how to secure a Compute Engine instance with\n[Identity-Aware Proxy (IAP)](/iap/docs/concepts-overview).\n\nBefore you begin\n----------------\n\nTo enable IAP for Compute Engine, you need the\nfollowing:\n\n- A Google Cloud console project with billing enabled.\n- A group of one or more Compute Engine instances, served by a load balancer.\n - Learn about [Setting up an external HTTPS load balancer](/load-balancing/docs/https/setting-up-https).\n - Learn about [setting up an internal HTTP load balancer](/load-balancing/docs/l7-internal/setting-up-l7-internal).\n- A domain name registered to the address of your load balancer.\n- Application code to verify that all requests have an identity.\n - Learn about [Getting the user's identity](/iap/docs/identity-howto).\n\nIf you don't have your Compute Engine instance set up already, see\n[Setting up IAP for Compute Engine](/iap/docs/tutorial-gce)\nfor a complete walkthrough.\n\nIAP uses a Google-managed OAuth client to authenticate users.\nOnly users within the organization can access the IAP-enabled\napplication. If you want to allow access to users outside of your organization,\nsee [Enable IAP for external applications](/iap/docs/custom-oauth-configuration).\n| **Note:** The ability to authenticate users with a Google-managed OAuth client is available in [Preview](/products#product-launch-stages).\n\nYou can enable IAP on a Compute Engine\n[backend service](/load-balancing/docs/backend-service) or on a\nCompute Engine [forwarding rule](/load-balancing/docs/forwarding-rule-concepts).\nWhen you enable IAP on a Compute Engine backend service,\nonly that backend service is protected by IAP. When you enable\nIAP on a Compute Engine forwarding rule, all of the\nCompute Engine instances behind the forwarding rule are protected by\nIAP.\n\nEnable IAP on a forwarding rule\n-------------------------------\n\nYou can enable IAP on a forwarding rule by using the\nload balancer [authorization policies](/load-balancing/docs/auth-policy/auth-policy-overview)\nframework. \n\n### gcloud\n\n1. Run the following command to prepare a `policy.yaml` file.\n\n $ cat \u003c\u003c EOF \u003e policy.yaml\n action: CUSTOM\n description: authz policy with Cloud IAP\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eAUTHZ_POLICY_NAME\u003c/span\u003e\u003c/var\u003e\n customProvider:\n cloudIap: {}\n target:\n loadBalancingScheme: EXTERNAL_MANAGED\n resources:\n - https://www.googleapis.com/compute/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/regions/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/forwardingRules/\u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e\n EOF\n\n1. Run the following command to enable IAP on a forwarding rule.\n\n```\ngcloud beta network-security authz-policies import AUTHZ_POLICY_NAME \\\n--source=policy.yaml \\\n--location=LOCATION \\\n--project=PROJECT_ID\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The region that the resource is located in.\n- \u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e: The ID of the forwarding rule resource.\n- \u003cvar translate=\"no\"\u003eAUTHZ_POLICY_NAME\u003c/var\u003e: The name of the authorization policy.\n\n### API\n\n1. Run the following command to prepare a `policy.json` file. \n\n ```\n cat \u003c\u003c EOF \u003e policy.json\n {\n \"name\": \"AUTHZ_POLICY_NAME\",\n \"target\": {\n \"loadBalancingScheme\": \"INTERNAL_MANAGED\",\n \"resources\": [\n \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID\"\n ],\n },\n \"action\": \"CUSTOM\",\n \"httpRules\": [],\n \"customProvider\": {\n \"cloudIap\": {}\n }\n }\n EOF\n ```\n2. Run the following command to enable IAP on a forwarding rule.\n\n ```\n curl -X PATCH \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Accept: application/json\" \\\n -H \"Content-Type: application/json\" \\\n -d @policy.json \\\n \"https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/authzPolicies\"\n ```\n\n \u003cbr /\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The region that the resource is located in.\n - \u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e: The ID of the forwarding rule resource.\n - \u003cvar translate=\"no\"\u003eAUTHZ_POLICY_NAME\u003c/var\u003e: The name of the authorization policy.\n\nAfter you enable IAP on a forwarding rule, you can\n[apply permissions to resources](/iap/docs/auth-policies#apply_permissions_to_resources).\n\nEnable IAP on a Compute Engine backend service\n----------------------------------------------\n\nYou can enable IAP on a Compute Engine backend service\nthrough that backend service. \n\n### console\n\nThe Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.\n\nIf you haven't configured your project's OAuth consent screen, you'll be\nprompted to do so. To configure your OAuth consent screen, see\n[Setting up your OAuth consent screen](https://support.google.com/cloud/answer/10311615).\n\nIf you are running GKE clusters version 1.24 or later, you can configure\nIAP and GKE by using the Kubernetes Gateway API. To do so, complete\nthe following steps and then follow the instructions in\n[Configure IAP](/kubernetes-engine/docs/how-to/configure-gateway-resources#configure_iap).\nDo not configure `BackendConfig`.\n\n### Setting up IAP access\n\n1. Go to the [Identity-Aware Proxy page](https://console.cloud.google.com/security/iap). \n [Go to the Identity-Aware Proxy page](https://console.cloud.google.com/security/iap)\n2. Select the project you want to secure with IAP.\n3. Select the checkbox next to the resource you want to grant access to.\n\n If you don't see a resource, ensure that the resource is created and that\n the BackendConfig Compute Engine ingress controller is synced.\n\n To verify that the backend service is available, run the following\n gcloud command:\n `gcloud compute backend-services list`\n4. On the right side panel, click **Add principal**.\n5. In the **Add principals** dialog that appears, enter the email addresses of groups or individuals who should have the **IAP-secured Web App User** role for the project.\n\n The following kinds of principals can have this role:\n - **Google Account**: user@gmail.com\n - **Google Group**: admins@googlegroups.com\n - **Service account**: server@example.gserviceaccount.com\n - **Google Workspace domain**: example.com\n\n Make sure to add a Google Account that you have access to.\n6. Select **Cloud IAP \\\u003e IAP-secured Web App User** from the **Roles** drop-down list.\n7. Click **Save**.\n\n### Turning on IAP\n\n1. On the **Identity-Aware Proxy** page, under **APPLICATIONS** , find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource, toggle the on/off switch in the **IAP** column. \n To enable IAP:\n - At least one protocol in the load balancer frontend configuration must be HTTPS. Learn about [setting up\n a load balancer](/iap/docs/load-balancer-howto).\n - You need the `compute.backendServices.update`, `clientauthconfig.clients.create`, and `clientauthconfig.clients.getWithSecret` permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, see [Managing access to IAP-secured resources](/iap/docs/managing-access#turning_on_and_off).\n2. In the **Turn on IAP** window that appears, click **Turn On** to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the **IAP-Secured Web App User** role on the project will be given access.\n\n### gcloud\n\nBefore you set up your project and IAP, you need an up-to-date version of the\ngcloud CLI. For instructions on how to install the gcloud CLI,\nsee [Install the gcloud CLI](/sdk/downloads).\n\n1. To authenticate, use the Google Cloud CLI and run the following command. \n\n gcloud auth login\n\n2. To sign in, follow the URL that appears.\n3. After you sign in, copy the verification code that appears and paste it in the command line.\n4. Run the following command to specify the project that contains the resource that you want to protect with IAP. \n\n gcloud config set project \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n5. To enable IAP, run either the globally or regionally scoped command. \n\n Global scope \n\n gcloud compute backend-services update \u003cvar translate=\"no\"\u003eBACKEND_SERVICE_NAME\u003c/var\u003e --global --iap=enabled\n\n Regional scope \n\n gcloud compute backend-services update \u003cvar translate=\"no\"\u003eBACKEND_SERVICE_NAME\u003c/var\u003e --region \u003cvar translate=\"no\"\u003eREGION_NAME\u003c/var\u003e --iap=enabled\n\nAfter you enable IAP, you can use the gcloud CLI to modify\nthe IAP access policy using the IAM role\n`roles/iap.httpsResourceAccessor`. Learn more about\n[managing roles and permissions](/iam/docs/granting-changing-revoking-access).\n\n### API\n\n1. Run the following command to prepare a `settings.json` file.\n\n ```\n cat \u003c\u003c EOF \u003e settings.json\n {\n \"iap\":\n {\n \"enabled\":true\n }\n }\n EOF\n ```\n\n \u003cbr /\u003e\n\n2. Run the following command to enable IAP.\n\n ```\n curl -X PATCH \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Accept: application/json\" \\\n -H \"Content-Type: application/json\" \\\n -d @settings.json \\\n \"https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/REGION/backendServices/BACKEND_SERVICE_NAME\"\n ```\n\n \u003cbr /\u003e\n\nAfter you enable IAP, you can use the Google Cloud CLI to modify the\nIAP access policy using the IAM role\n`roles/iap.httpsResourceAccessor`. Learn more about\n[managing roles and permissions](/iam/docs/granting-changing-revoking-access)."]]
