Enabling Cloud IAP Using Cloud SDK

This page describes how to use the gcloud command-line tool to enable Cloud Identity-Aware Proxy (Cloud IAP) for Compute Engine and Container Engine applications. Using the gcloud command-line tool to enable Cloud IAP for App Engine is not yet supported. Use the App Engine Quickstart instead.

Before you begin

Before you begin, you'll need the following:

  1. An up to date version of Cloud SDK. Get Cloud SDK.
  2. A project for which you want to enable Cloud IAP. Set the project up as follows:
    1. If you're setting up Cloud IAP for Compute Engine, go to the Instance groups page to make sure your instances are in an instance group.
    2. Define backend services.
    3. Set up load balancing.
    4. Set up an OAuth client:
      1. Go to API > Credentials and select the project for which you want to enable Cloud IAP.
      2. Under "OAuth consent screen", enter an email address and product name. These details will be visible to anyone who accesses your URL, even if they don't have access to the application.
      3. Under "Credentials", click Create credentials > OAuth client ID.
      4. Under "Application type" select Web application, then add a Name and specify Authorized redirect URLs in the format of yourURL/_gcp_gatekeeper/authenticate.
      5. When you're finished entering details, click Create and make note of the "client ID" and "client secret" that display in the OAuth client window.

Enabling Cloud IAP using Cloud SDK

  1. Using the gcloud command-line tool, run gcloud auth login.
  2. Follow the URL that appears to sign in.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run gcloud config set project project_id for the project for which you want to enable Cloud IAP.
  5. To enable Cloud IAP, use the OAuth client ID and secret you created in step 2.d. above and run gcloud beta compute backend-services update backend_service_name --global --iap=enabled,oauth2-client-id=client_id,oauth2-client-secret=client_secret.

What's next

Send feedback about...

Identity-Aware Proxy Documentation