Enabling Cloud IAP for Kubernetes Engine

This page explains how to secure a Kubernetes Engine instance with Cloud Identity-Aware Proxy (Cloud IAP).

Before you begin

To enable Cloud IAP for Kubernetes Engine, you'll need the following:

  • A GCP Console project with billing enabled.
  • A group of one or more Kubernetes Engine instances, served by an HTTPS load balancer.
  • A domain name registered to the address of your load balancer.
  • A GCP SDK installation.
  • Application code to verify that all requests have an identity.

Enabling Cloud IAP using the GCP Console

Selecting a project

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with Cloud IAP.

Configuring the OAuth consent screen

If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. An email address and product name are required for the OAuth consent screen.
  1. Go to the OAuth consent screen.
    Configure consent screen
  2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
  3. Enter the Product name you want to display.
  4. Add any optional details you'd like.
  5. Click Save.

To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.

Setting up Cloud IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. On the right side panel, next to Access, click Add.
  3. In the Add members dialog that appears, add the email addresses of groups or individuals to whom you want to grant the IAP-Secured Web App User role for the project.

    The following kinds of accounts can be members:

    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • G Suite domains: example.com

    Make sure to add a Google account that you have access to.

  4. When you're finished adding members, click Add.

Turning on Cloud IAP

  1. On the Identity-Aware Proxy page, under Resource, find the load balancer that serves the container cluster you want to restrict access to. To turn on Cloud IAP for a resource, click Off in the IAP column.
    • To enable Cloud IAP, at least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
  2. In the Turn on IAP window that appears, list all domains used to access the resource. Make sure to include the domain registered to the address of your load balancer.
  3. Click Turn On to confirm that you want the resource to be secured by Cloud IAP. After you turn on Cloud IAP, it requires login credentials for all connections to your load balancer, and only accounts with the IAP-Secured Web App User role on the project will be given access.

To access your app from more domains later, follow the process below:

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Click More next to the resource to which you want to add a domain, then click Edit OAuth client.
  3. In the Credentials window that appears, under Authorized redirect URIs, add the domains in the format of your_domain/_gcp_gatekeeper/authenticate.
  4. When you're finished adding domains, click Save. You'll now be able to access your app from those domains with Cloud IAP turned on.

Enabling Cloud IAP using GCP SDK

This section describes how to use the gcloud command-line tool to turn on Cloud IAP for Kubernetes Engine applications. Using the gcloud command-line tool to turn on Cloud IAP for App Engine is not yet supported. Use the App Engine quickstart instead.

Getting GCP SDK

Before you set up your project and Cloud IAP, you'll need an up to date version of GCP SDK. Get GCP SDK.

Setting up your project

Select the project for which you want to enable Cloud IAP and set it up as follows:

  1. Define backend services.
  2. Set up load balancing.
  3. Set up an OAuth client:
    1. Go to API > Credentials and select the project for which you want to enable Cloud IAP.
    2. Set up your OAuth consent screen:
      1. Go to the OAuth consent screen.
        Configure consent screen
      2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
      3. Enter the Product name you want to display.
      4. Add any optional details you'd like.
      5. Click Save.

      To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.

    3. Under Credentials, click Create credentials > OAuth client ID.
    4. Under Application type select Web application, then add a Name and specify Authorized redirect URLs in the format of yourURL/_gcp_gatekeeper/authenticate.
    5. When you're finished entering details, click Create.
    6. In the OAuth client window that appears, make note of the client ID and client secret.

Enabling Cloud IAP

  1. Using the gcloud command-line tool, run gcloud auth login.
  2. Follow the URL that appears to sign in.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run gcloud config set project project_id for the project for which you want to enable Cloud IAP.
  5. To enable Cloud IAP, use the OAuth client ID and secret you created above and run gcloud compute backend-services update backend_service_name --global --iap=enabled,oauth2-client-id=client_id,oauth2-client-secret=client_secret.

After you enable Cloud IAP, you can use the gcloud command-line tool to manipulate Cloud IAP access policy using the Cloud IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

Send feedback about...

Identity-Aware Proxy Documentation