Managing access to Cloud IAP-secured resources

This page describes how to manage individual or group access to a Cloud Identity-Aware Proxy (Cloud IAP)-secured project. Cloud IAP works at the project level, so the list of users who have access (the "members") applies to all Cloud IAP-secured resources in a project.

Before you begin

Before you begin, you'll need the following:

  • A Cloud IAP-secured project to which you want to add individual or group access.
  • User or group names for which you want to add access.

Managing access in the GCP Console

To control access to an Cloud IAP-secured project via the GCP Console, follow the process to add or remove access.

Add access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with Cloud IAP.
  3. On the right side Info panel, next to Access, click Add.
  4. In the Add members dialog that appears, add the email addresses of groups or individuals to whom you want to grant the IAP-Secured Web App User role for the project.
  5. When you're finished adding email addresses, click Add.

Remove access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with Cloud IAP.
  3. On the right side Info panel, under Access, select the box next to each user or group name for which you want to remove the IAP-Secured Web App User role, then click Remove.
  4. In the Remove member dialog that appears, click Remove.

Managing access via the API

Cloud Identity and Access Management (Cloud IAM) provides a standard set of methods for creating and managing access control policies on Google Cloud Platform resources.

To add user access to a Cloud IAP-secured resource via the API, grant the user the Cloud IAP Cloud IAM role roles/iap.httpsResourceAccessor. This role includes the permission iap.webServiceVersions.accessViaIAP, which allows access to App Engine and Compute Engine resources. You can grant the Cloud IAP role at any available higher level in the Cloud IAM hierarchy, such as project or folder.

Learn more about managing roles and permissions for Cloud IAM.

Best practices

Access lists

  • Use a specialized security team to manage all of your access lists.
  • Set up different access lists for projects that have Cloud IAP-secured resources:
    • Group sets of resources for a team into a single project so you can manage access controls in one place.
    • Create resources in separate projects if they need to have different access lists. Resources can't easily be moved between projects, and they can't exist in multiple projects.
  • Cloud IAP controls access to a resource. Use Cloud IAM to define what a user can do after they access the resource.
Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation