This page describes how to use the gcloud command-line tool to enable Cloud Identity-Aware Proxy (Cloud IAP) for Compute Engine and Container Engine applications. Using the gcloud command-line tool to enable Cloud IAP for App Engine is not yet supported. Use the App Engine Quickstart instead.
Before you begin
Before you begin, you'll need the following:
- An up to date version of Cloud SDK. Get Cloud SDK.
- A project for which you want to enable Cloud IAP. Set the project up as follows:
- If you're setting up Cloud IAP for Compute Engine, go to the Instance groups page to make sure your instances are in an instance group.
- Define backend services.
- Set up load balancing.
- Set up an OAuth client:
- Go to API > Credentials and select the project for which you want to enable Cloud IAP.
- Under "OAuth consent screen", enter an email address and product name. These details will be visible to anyone who accesses your URL, even if they don't have access to the application.
- Under "Credentials", click Create credentials > OAuth client ID.
- Under "Application type" select Web application, then add a Name and specify
Authorized redirect URLs in the format of
- When you're finished entering details, click Create and make note of the "client ID" and "client secret" that display in the OAuth client window.
Enabling Cloud IAP using Cloud SDK
- Using the gcloud command-line tool, run
gcloud auth login.
- Follow the URL that appears to sign in.
- After you sign in, copy the verification code that appears and paste it in the command line.
gcloud config set project project_idfor the project for which you want to enable Cloud IAP.
- To enable Cloud IAP, use the OAuth client ID and secret you created in step 2.d. above and run
gcloud beta compute backend-services update backend_service_name --global --iap=enabled,oauth2-client-id=client_id,oauth2-client-secret=client_secret.
- Learn about the gcloud command-line tool.