Managing access to Cloud IAP-secured resources

This page describes how to manage individual or group access to Cloud Identity-Aware Proxy (Cloud IAP)-secured resources at the resource level.

Overview

Cloud IAP enables you to configure Cloud IAP policies for individual resources in a Google Cloud Platform (GCP) project. Multiple apps within a project can each have different access policies. This includes projects that have Compute Engine, Google Kubernetes Engine, and App Engine apps. For App Engine apps, individual versions and services can have different access policies applied.

To manage project level and higher access, use the Cloud IAM admin page. Lists of users who have access (the "members") at the project level applies to all Cloud IAP-secured resources in the project.

Before you begin

Before you begin, you'll need the following:

  • A Cloud IAP-secured resource to which you want to add individual or group access.
  • User or group names for which you want to add access.

Turning Cloud IAP on and off

To turn Cloud IAP on and off, certain permissions are needed. The following table shows the permission needed for each app type.

App type Permission required
App Engine appengine.applications.update
Compute Engine or Google Kubernetes Engine compute.backendServices.update

These permissions are granted by roles such as Project Editor, App Engine Admin, and Compute Network Admin. While these roles allow turning Cloud IAP on and off, they don't have the permissions needed to modify access policies.

In addition, turning Cloud IAP on with the GCP Console might also require the clientauthconfig.clients.create and clientauthconfig.clients.getWithSecret permissions. These permissions are granted by the Project Editor role.

To learn more about granting roles, see Granting, changing, and revoking access.

Managing access in the GCP Console

To control access to a Cloud IAP-secured resource with the GCP Console, follow the process to add or remove access.

Add access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page

  2. Select the resource you want to secure with Cloud IAP. The following resource selections secure a set group of resources:

    • All Web Services: All resources in the project will be secured. Note that this is not the same as granting project level access with the Cloud IAM admin page. A user granted the IAP Policy Admin role at the All Web Services resource level will only have permissions to Cloud IAP policies.

    • Backend Services: All backend services will be secured.

  3. On the right side Info panel, add the email addresses of groups or individuals to whom you want to grant a Cloud IAM role for the resource.

  4. Apply access policy roles to the member by selecting from the following roles in the Select a role dropdown:

    • Owner: Grants the same access as IAP Policy Admin. Use the IAP Policy Admin role instead. This role only allows modifying policies, and doesn't grant access to the app.

    • IAP Policy Admin: Grants administrator rights over Cloud IAP policies.

    • IAP-Secured Web App User: Grants access to the app and other HTTPS resources that use Cloud IAP.

    • Security Reviewer: Grants permission to view and audit Cloud IAP policies.

  5. When you're finished adding email addresses and setting roles, click Add

Remove access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the resource that is secured with Cloud IAP.
  3. On the right side Info panel, select the section that corresponds to the role you want to remove from a member.
  4. In the expanded section, next to each user or group name for which you want to remove the role, click Remove.
  5. In the Remove member dialog that appears, click Remove.

Managing access with the API

Cloud Identity and Access Management (Cloud IAM) provides a standard set of methods for creating and managing access control policies on Google Cloud Platform resources.

Resources and Permissions

The Cloud IAP API enables you to apply Cloud IAM permissions to individual resources in a Cloud IAP-secured project. Cloud IAM permissions granted at a certain level apply to all levels underneath it. For example, a permission granted at the project level applies to all GCP resources in the project. Access for project-level and above is managed in the Cloud IAM admin page, but will be displayed in the Cloud IAP admin page.

Users need certain permissions to access a Cloud IAP-secured app and use methods that update Cloud IAM policies. The iap.webServiceVersions.accessViaIAP permission grants access to the app. If you're using Cloud IAP to control access to administrative services like SSH and RDP, users will need the iap.tunnelInstances.accessViaAP permission.

Each Cloud IAP resource has its own getIamPolicy and setIamPolicy permission that grants the ability to manage access policies for that resource and its children.

To call the Cloud IAM API, construct a call with a URL path to a resource. The following is an example call that gets the Cloud IAM policy for an App Engine app service version.

https://iap.googleapis.com/v1beta1/projects/PROJECT_NUMBER/iap_web/
appengine-APP_ID/services/SERVICE_ID/versions/VERSION_ID:getIamPolicy
Resource Type Description Path Permissions
iap.web Every Cloud IAP-secured web app in the project. This is the same as the All Web Services checkbox on the Cloud IAP admin page.
https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_web
iap.web.getIamPolicy

iap.web.setIamPolicy
iap.webTypes Either a backend service or an App Engine app. This is the same as the Backend Service and App Engine app checkboxes on the Cloud IAP admin page. Backend service

https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_web/compute


App Engine app

https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_web/appengine-APP_ID
iap.webTypes.getIamPolicy

iap.webTypes.setIamPolicy
iap.webServices Either a Compute Engine backend service or an App Engine app service. The backend service path can either speficy either the backend service ID or the backend service name. Backend services

https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_web/compute/services/
BACKEND_SERVICE_ID or BACKEND_SERVICE_NAME


App Engine app

https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_web/appengine-APP_ID/
services/APP_SERVICE_ID
iap.webServices.getIamPolicy

iap.webServices.setIamPolicy
iap.webServiceVersions An App Engine service version. Compute Engine doesn't support versioning.
https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_web/appengine-APP_ID/
services/APP_SERVICE_ID/versions/VERSION_ID
iap.webServiceVersions.getIamPolicy

iap.webServiceVersions.setIamPolicy
iap.tunnel Every Cloud IAP-secured instance in the project. This is the same as the All Tunnel Resources checkbox on the Cloud IAP admin page.
https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_tunnel
iap.tunnel.getIamPolicy

iap.tunnel.setIamPolicy
iap.tunnelZones Every zone which has at least one instance. This is the same as a zone name checkbox on the Cloud IAP admin page, for example, us-central1-c.
https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_tunnel/zones/ZONE_NAME
iap.tunnelZones.getIamPolicy

iap.tunnelZones.setIamPolicy
iap.tunnelInstances An individual instance.
https://iap.googleapis.com/v1beta1/projects/
PROJECT_NUMBER/iap_tunnel/zones/ZONE_NAME
/instances/INSTANCE_ID or INSTANCE_NAME
iap.tunnelInstances.getIamPolicy

iap.tunnelInstances.setIamPolicy

Roles

The following table lists the Cloud IAP Cloud IAM roles with a corresponding list of all of the Cloud IAP-specific permissions each role includes. For more information about Cloud IAM roles see Managing Roles and Permissions.

Role Includes permission(s) Description
IAP-Secured Web App User (roles/iap.httpsResourceAccessor) iap.webServiceVersions.accessViaIAP Grants access to App Engine and Compute Engine resources.
IAP-Secured Tunnel User (roles/iap.tunnelResourceAccessor) iap.tunnelInstances.accessViaIAP Grants access to tunnel resources that use Cloud IAP.
IAP Policy Admin (roles/iap.admin) iap.web.getIamPolicy
iap.web.setIamPolicy
iap.webTypes.getIamPolicy
iap.webTypes.setIamPolicy
iap.webServices.getIamPolicy
iap.webServices.setIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServiceVersions.setIamPolicy
Grants Cloud IAP administrative rights to manage Cloud IAP access policies of resources.

Public access

To grant everyone access to a resource, add one of the following members to its access list:

  • allAuthenticatedUsers: Anyone who is authenticated with a Google account or a service account.
  • allUsers: Anyone who is on the internet, including authenticated and unauthenticated users. The signed header for the request won't have a sub or email claim.

If public access is granted, Cloud IAP won't generate Cloud Audit Logging logs for the request.

Currently, bindings that grant public access can't have a condition associated with it. For example, a policy that allows anyone access to a resource if the request path starts with /public/ is invalid.

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation