Using the API to manage Identity-Aware Proxy for App Engine

This page describes the Identity-Aware Proxy (IAP) properties that are available for App Engine API requests. Use this document with the App Engine API collection.

IAP properties

App Engine applications use the iap properties below. To learn how to set and get these properties, read the sections that follow.

Property name	Value	Description
`iap.enabled`	`bool`	Specifies if IAP is enabled for the application. The default value is false. If `iap.enabled` is `true`, the `oauth2ClientId` and `oauth2ClientSecret` properties must be set. If `iap.enabled` is `false`, the `oauth2ClientId` and `oauth2ClientSecret` properties aren't affected. You can temporarily disable IAP without unsetting those properties.
`iap.oauth2ClientId`	`string`	Specifies the client ID for use with OAuth 2.0.
`iap.oauth2ClientSecret` (Requests only)	`string`	Specifies the client secret for use with OAuth 2.0. This value can't be read via the API. Instead, the `oauth2ClientSecretSha256` field is returned.
`iap.oauth2ClientSecretSha256` (Responses only)	`string`	In response bodies, the `oauth2ClientSecret` field is redacted. Instead, `iap.oauth2ClientSecretSha256` supplies the SHA256 hash of the secret.

Setting IAP properties when creating an application

When you create an application, you can enable IAP and set the client ID and secret. Use an application POST request:

HTTP request

POST https://appengine.googleapis.com/v1/apps/project?alt=json&update_mask=iap

Parameters

Parameter name	Value	Description
Path parameters
`project`	`string`	Project ID for this request.

Request body

In the request body, supply an application with the relevant IAP properties:

Property name	Value	Description
Optional properties
`iap.enabled`	`bool`	Specifies if IAP is enabled for the application. The default value is false. If `iap.enabled` is `true`, the `oauth2ClientId` and `oauth2ClientSecret` properties must be set.
`iap.oauth2ClientId`	`string`	Specifies the client ID for use with OAuth 2.0.
`iap.oauth2ClientSecret`	`string`	Specifies the client secret for use with OAuth 2.0.

Example:

{
  ...
  "backends": [
    {
      ...
      "iap": [
        {
          "enabled": true,
          "oauth2ClientId": string,
          "oauth2ClientSecret": string
        }
      ],
      ...
    }
  ],
  ...
}

The example above shows only the IAP properties. For additional properties including required properties, see the App Engine applications documentation.

Response

If successful, this method returns an application in the response body, including IAP properties.

If iap.enabled is true but the oauth2ClientId and oauth2ClientSecret properties aren't set, a BAD_REQUEST response is returned.

Learn how to create an App Engine application.

Setting IAP properties by updating an application

To enable or disable IAP for an existing application and set or replace the client ID and secret, update the application. Use an application PATCH request:

HTTP request

PATCH https://appengine.googleapis.com/v1/apps/project?alt=json&update_mask=iap

Parameters

Parameter name	Value	Description
Path parameters
`project`	`string`	Project ID for this request.

Request body

In the request body, supply the relevant portions of an App Engine application, according to the rules of patch semantics. Include the relevant IAP properties:

Property name	Value	Description
Optional properties
`iap.enabled`	`bool`	Specifies if IAP is enabled for this application. The default value is false. If `iap.enabled` is `true`, the `oauth2ClientId` and `oauth2ClientSecret` properties must be set.
`iap.oauth2ClientId`	`string`	Specifies the client ID for use with OAuth 2.0.
`iap.oauth2ClientSecret`	`string`	Specifies the client secret for use with OAuth 2.0.

Example:

{
  ...
  "backends": [
    {
      ...
      "iap": [
        {
          "enabled": true,
          "oauth2ClientId": string,
          "oauth2ClientSecret": string
        }
      ],
      ...
    }
  ],
  ...
}

The example above shows only the IAP properties. For additional properties including required properties, see the App Engine applications documentation.

Response

If successful, this method returns an application in the response body, including IAP properties.

If iap.enabled is true but you didn't set or supply new oauth2ClientId and oauth2ClientSecret properties, a BAD_REQUEST response is returned.

Learn about Method: apps.patch.

Getting the IAP properties of an application

To see the current IAP status of an existing application, use a GET request:

HTTP request

GET https://appengine.googleapis.com/v1/apps/project?alt=json

Parameters

Parameter name	Value	Description
Path parameters
`project`	`string`	Project ID for this request.

Request body

Don't supply a request body with this method.

Response

If successful, this method returns an application in the response body that includes IAP properties.

Learn about Method: apps.get.