Managing access to Cloud IAP-secured resources

This page describes how to manage individual or group access to a Cloud Identity-Aware Proxy (Cloud IAP)-secured project. Cloud IAP works at the project level, so the list of users who have access (the "members") applies to all Cloud IAP-secured resources in a project.

Before you begin

Before you begin, you'll need the following:

  • An Cloud IAP-secured project to which you want to add individual or group access.
  • User or group names for which you want to add access.

Managing access in the Cloud Platform Console

To control access to an Cloud IAP-secured project via the Cloud Platform Console, follow the process to add or remove access.

Add access

  1. Go to the Cloud IAP admin page.
    Go to the Cloud IAP admin page
  2. If you don't already have an active project, you'll be prompted to select the project you want to secure with Cloud IAP.
  3. Under Access, click Add.
  4. In the Add members window that appears, enter one more user or group email addresses.
  5. When you're finished adding email addresses, click Add to add access.

Remove access

  1. Go to the Cloud IAP admin page.
    Go to the Cloud IAP admin page
  2. If you don't already have an active project, you'll be prompted to select the project you want to secure with Cloud IAP.
  3. Under Access, select the box next to each user or group name for which you want to remove access, then click Remove.
  4. In the Remove member window that appears, click Remove to remove access.

Managing access via the API

Cloud Identity Access Management (Cloud IAM) provides a standard set of methods for creating and managing access control policies on Google Cloud Platform resources.

To add user access to a Cloud IAP-secured resource via the API, grant the user the Cloud IAP Cloud IAM role for the resource. The Cloud IAP role roles/iap.httpsResourceAccessor grants the permission appengine.app.accessViaIAP or compute.backendServices.accessViaIAP. You can assign the Cloud IAP role at any available higher level in the Cloud IAM hierarchy, such as project or customer.

Learn more about managing roles and permissions for Cloud IAM.

Best practices

Access lists

  • Use a specialized security team to manage all of your access lists.
  • Set up different access lists for projects that have Cloud IAP-secured resources:
  • Group sets of resources for a team into a single project so you can manage access controls in one place.
  • Create resources in separate projects if they need to have different access lists. Resources can't easily be moved between projects, and they can't exist in multiple projects.
  • Cloud IAP controls access to a resource. Use Cloud IAM to define what a user can do after they access the resource.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Identity-Aware Proxy Documentation