Enabling Cloud IAP Using Cloud SDK

This page describes how to use the gcloud command-line tool to enable Cloud Identity-Aware Proxy (Cloud IAP) for Compute Engine and Container Engine applications. Using the gcloud command-line tool to enable Cloud IAP for App Engine is not yet supported. Use the App Engine Quickstart instead.

Before you begin

Before you begin, you'll need the following:

  1. An up to date version of Cloud SDK. Get Cloud SDK.
  2. A project for which you want to enable Cloud IAP. Set the project up as follows:
    1. If you're setting up Cloud IAP for Compute Engine, go to the Instance groups page to make sure your instances are in an instance group.
    2. Define backend services.
    3. Set up load balancing.
    4. Set up an OAuth client:
      1. Go to API > Credentials and select the project for which you want to enable Cloud IAP.
      2. Set up your OAuth consent screen:
        1. Go to the OAuth consent screen.
          Configure consent screen
        2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
        3. Enter the Product name you want to display.
        4. Add any optional details you'd like.
        5. Click Save.
      3. Under Credentials, click Create credentials > OAuth client ID.
      4. Under Application type select Web application, then add a Name and specify Authorized redirect URLs in the format of yourURL/_gcp_gatekeeper/authenticate.
      5. When you're finished entering details, click Create and make note of the "client ID" and "client secret" that display in the OAuth client window.

Enabling Cloud IAP using Cloud SDK

  1. Using the gcloud command-line tool, run gcloud auth login.
  2. Follow the URL that appears to sign in.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run gcloud config set project project_id for the project for which you want to enable Cloud IAP.
  5. To enable Cloud IAP, use the OAuth client ID and secret you created above and run gcloud beta compute backend-services update backend_service_name --global --iap=enabled,oauth2-client-id=client_id,oauth2-client-secret=client_secret.

After you enable Cloud IAP, you can use the gcloud command-line tool to manipulate Cloud IAP access policy using the Cloud IAM role roles/iap.httpsResourceAccessor. Learn more about Managing Roles and Permissions.

What's next

Send feedback about...

Identity-Aware Proxy Documentation