This page describes how to use the gcloud command-line tool to enable Cloud Identity-Aware Proxy (Cloud IAP) for Compute Engine and Container Engine applications. Using the gcloud command-line tool to enable Cloud IAP for App Engine is not yet supported. Use the App Engine Quickstart instead.
Before you begin
Before you begin, you'll need the following:
- An up to date version of Cloud SDK. Get Cloud SDK.
- A project for which you want to enable Cloud IAP. Set the project up as follows:
- If you're setting up Cloud IAP for Compute Engine, go to the Instance groups page to make sure your instances are in an instance group.
- Define backend services.
- Set up load balancing.
- Set up an OAuth client:
- Go to API > Credentials and select the project for which you want to enable Cloud IAP.
- Set up your OAuth consent screen:
- Under Credentials, click Create credentials > OAuth client ID.
- Under Application type select Web application, then add a Name and specify
Authorized redirect URLs in the format of
- When you're finished entering details, click Create and make note of the "client ID" and "client secret" that display in the OAuth client window.
Enabling Cloud IAP using Cloud SDK
- Using the gcloud command-line tool, run
gcloud auth login.
- Follow the URL that appears to sign in.
- After you sign in, copy the verification code that appears and paste it in the command line.
gcloud config set project project_idfor the project for which you want to enable Cloud IAP.
- To enable Cloud IAP, use the OAuth client ID and secret you created above and run
gcloud beta compute backend-services update backend_service_name --global --iap=enabled,oauth2-client-id=client_id,oauth2-client-secret=client_secret.
After you enable Cloud IAP, you can use the gcloud command-line tool to manipulate Cloud IAP access policy using the Cloud IAM role
roles/iap.httpsResourceAccessor. Learn more about Managing Roles and Permissions.
- Learn about the gcloud command-line tool.