Enabling Cloud IAP for Container Engine

This page explains how to secure a Google Container Engine instance with Cloud Identity-Aware Proxy (Cloud IAP).

Before you begin

To enable Cloud IAP for Container Engine, you'll need the following:

  • A Cloud Platform Console project with billing enabled.
  • A group of one or more Container Engine instances, served by an HTTPS load balancer.
  • A domain name registered to the address of your load balancer.
  • A Cloud SDK installation.
  • Application code to verify that all requests have an identity.

Enabling Cloud IAP using the Cloud Platform Console

  1. Go to the Cloud IAP admin page.
    Go to the Cloud IAP admin page
  2. Select the project you want to secure with Cloud IAP.
  3. If you haven't configured your project's OAuth consent screen, you'll be prompted to do so:
    1. Go to the OAuth consent screen.
      Configure consent screen
    2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
    3. Enter the Product name you want to display.
    4. Add any optional details you'd like.
    5. Click Save.
    6. Go back to the Cloud IAP admin page.
      Go to the Cloud IAP admin page
  4. On the Identity-Aware Proxy page, under Access, click Add to add members to the project. These members will be assigned the IAP access: HTTPS role on the current project, and they will be able to access all of the project's Cloud IAP-secured resources.
    The following kinds of accounts can be members:
    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • G Suite domains: example.com
  5. Under Resources, find the load balancer that serves the container cluster you want to restrict access to. To turn on Cloud IAP for a resource, click Off in the IAP column.
    • To enable Cloud IAP, at least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
  6. In the Turn on IAP window that appears, list all domains used to access the resource. Make sure to include the domain registered to the address of your load balancer.
  7. Click Turn On to confirm that you want the resource to be secured by Cloud IAP. After you turn on Cloud IAP, it requires login credentials for all connections to your load balancer, and only accounts with the IAP access: HTTPS role on this project will be given access.

If you want to access your app from more URLs later, follow the process below:

  1. Go to the Cloud IAP admin page.
    Go to the Cloud IAP admin page
  2. Click More next to the resource to which you want to add a URL, then click Edit OAuth client.
  3. In the Credentials window that appears, under Authorized redirect URIs, add the URLs in the format of yourURL/_gcp_gatekeeper/authenticate.
  4. When you're finished adding URLs, click Save. You'll now be able to access your app from those URLs with Cloud IAP turned on.

Enabling Cloud IAP using Cloud SDK

This section describes how to use the gcloud command-line tool to turn on Cloud IAP for Container Engine applications. Using the gcloud command-line tool to turn on Cloud IAP for App Engine is not yet supported. Use the App Engine quickstart instead.

Getting Cloud SDK

Before you set up your project and Cloud IAP, you'll need an up to date version of Cloud SDK. Get Cloud SDK.

Setting up your project

Select the project for which you want to enable Cloud IAP and set it up as follows:

  1. Define backend services.
  2. Set up load balancing.
  3. Set up an OAuth client:
    1. Go to API > Credentials and select the project for which you want to enable Cloud IAP.
    2. Set up your OAuth consent screen:
      1. Go to the OAuth consent screen.
        Configure consent screen
      2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
      3. Enter the Product name you want to display.
      4. Add any optional details you'd like.
      5. Click Save.
      6. Go back to the Cloud IAP admin page.
        Go to the Cloud IAP admin page
    3. Under Credentials, click Create credentials > OAuth client ID.
    4. Under Application type select Web application, then add a Name and specify Authorized redirect URLs in the format of yourURL/_gcp_gatekeeper/authenticate.
    5. When you're finished entering details, click Create.
    6. In the OAuth client window that appears, make note of the client ID and client secret.

Enabling Cloud IAP

  1. Using the gcloud command-line tool, run gcloud auth login.
  2. Follow the URL that appears to sign in.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run gcloud config set project project_id for the project for which you want to enable Cloud IAP.
  5. To enable Cloud IAP, use the OAuth client ID and secret you created above and run gcloud compute backend-services update backend_service_name --global --iap=enabled,oauth2-client-id=client_id,oauth2-client-secret=client_secret.

After you enable Cloud IAP, you can use the gcloud command-line tool to manipulate Cloud IAP access policy using the Cloud IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Identity-Aware Proxy Documentation