Using organization policies to control IAP enablement

This page describes the organization policies that you can set to control the enablement of IAP protection for global and regional applications.

Overview

IAP is a global service, and any IAP configuration is replicated globally. Therefore, if you have strict regional data residency compliance requirements that you must adhere to, you might need to ensure that IAP cannot be enabled for applications across your organization, in specific projects, or in specific folders. You can control IAP enablement by setting organization policy constraints.

IAP organization policies

The following organization policies restrict IAP enablement for global and regional applications:

  • Global: iap.requireGlobalIapWebDisabled
  • Regional: iap.requireRegionalIapWebDisabled

You can use the organization policies to prevent admins from enabling IAP on the following services:

  • Compute Engine backend services, API reference: backendServices/regionBackendServices insert, update, and patch operations
  • App Engine applications, API reference: Applications.updateApplication

When you enable one or both of the policy constraints, it prevents future enabling of IAP on global or regional applications respectively. Setting the policy constraints does not automatically disable IAP protections that are in place for existing Compute Engine or App Engine applications. For existing applications on which IAP is already enabled, ensure that you bring them into compliance with the newly set policies without sacrificing your security posture.

Organization policies specifically and strictly control only IAP enablement and not other aspects of the IAP configuration. When an organization policy is in place, an administrator can update any IAP settings, including OAuth Client information, for any application that is out of compliance at the time of the policy enforcement. This allows you to maintain a strong security posture while working to bring all of your services into compliance with data residency requirements.