IapSettings

The IAP configurable settings.

JSON representation 
{
  "name": string,
  "accessSettings": {
    object (AccessSettings)
  },
  "applicationSettings": {
    object (ApplicationSettings)
  }
}
Fields
name

string

Required. The resource name of the IAP protected resource.
accessSettings

object (AccessSettings)

Top level wrapper for all access related setting in IAP
applicationSettings

object (ApplicationSettings)

Top level wrapper for all application related settings in IAP

AccessSettings

Access related settings for IAP protected apps.

JSON representation 
{
  "gcipSettings": {
    object (GcipSettings)
  },
  "corsSettings": {
    object (CorsSettings)
  },
  "oauthSettings": {
    object (OAuthSettings)
  },
  "reauthSettings": {
    object (ReauthSettings)
  }
}
Fields
gcipSettings

object (GcipSettings)

GCIP claims and endpoint configurations for 3p identity providers.
corsSettings

object (CorsSettings)

Configuration to allow cross-origin requests via IAP.
oauthSettings

object (OAuthSettings)

Settings to configure IAP's OAuth behavior.
reauthSettings

object (ReauthSettings)

Settings to configure reauthentication policies in IAP.

GcipSettings

Allows customers to configure tenant_id for GCIP instance per-app.

JSON representation 
{
  "tenantIds": [
    string
  ],
  "loginPageUri": string
}
Fields
tenantIds[]

string

GCIP tenant ids that are linked to the IAP resource. tenantIds could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ to indicate authenticating with GCIP agent flow. If agent flow is used, tenantIds should only contain one single element, while for tenant flow, tenantIds can contain multiple elements.
loginPageUri

string

Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level.

CorsSettings

Allows customers to configure HTTP request paths that'll allow HTTP OPTIONS call to bypass authentication and authorization.

JSON representation 
{
  "allowHttpOptions": boolean
}
Fields
allowHttpOptions

boolean

Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests.

OAuthSettings

Configuration for OAuth login&consent flow behavior as well as for OAuth Credentials.

JSON representation 
{
  "loginHint": string
}
Fields
loginHint

string

Domain hint to send as hd=? parameter in OAuth request flow. Enables redirect to primary IDP by skipping Google's login screen. https://developers.google.com/identity/protocols/OpenIDConnect#hd-param Note: IAP does not verify that the id token's hd claim matches this value since access behavior is managed by IAM policies.

ReauthSettings

Configuration for IAP reauthentication policies.

JSON representation 
{
  "method": enum (Method),
  "maxAge": string,
  "policyType": enum (PolicyType)
}
Fields
method

enum (Method)

Reauth method required by the policy.
maxAge

string (Duration format)

Reauth session lifetime, how long before a user has to reauthenticate again.

A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
policyType

enum (PolicyType)

How IAP determines the effective policy in cases of hierarchial policies. Policies are merged from higher in the hierarchy to lower in the hierarchy.

Method

Types of reauthentication methods supported by IAP.

Enums
METHOD_UNSPECIFIED Reauthentication disabled.
LOGIN Mimics the behavior as if the user had logged out and tried to log in again. Users with 2SV (2-step verification) enabled see their 2SV challenges if they did not opt to have their second factor responses saved. Apps Core (GSuites) admins can configure settings to disable 2SV cookies and require 2SV for all Apps Core users in their domains.
PASSWORD User must type their password.
SECURE_KEY User must use their secure key 2nd factor device.

PolicyType

Type of policy in the case of hierarchial policies.

Enums
POLICY_TYPE_UNSPECIFIED Default value. This value is unused.
MINIMUM This policy acts as a minimum to other policies, lower in the hierarchy. Effective policy may only be the same or stricter.
DEFAULT This policy acts as a default if no other reauth policy is set.

ApplicationSettings

Wrapper over application specific settings for IAP.

JSON representation 
{
  "csmSettings": {
    object (CsmSettings)
  },
  "accessDeniedPageSettings": {
    object (AccessDeniedPageSettings)
  },
  "cookieDomain": string
}
Fields
csmSettings

object (CsmSettings)

Settings to configure IAP's behavior for a CSM mesh.
accessDeniedPageSettings

object (AccessDeniedPageSettings)

Customization for Access Denied page.
cookieDomain

string

The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid.

CsmSettings

Configuration for RCTokens generated for CSM workloads protected by IAP. RCTokens are IAP generated JWTs that can be verified at the application. The RCToken is primarily used for ISTIO deployments, and can be scoped to a single mesh by configuring the audience field accordingly

JSON representation 
{
  "rctokenAud": string
}
Fields
rctokenAud

string

Audience claim set in the generated RCToken. This value is not validated by IAP.

AccessDeniedPageSettings

Custom content configuration for access denied page. IAP allows customers to define a custom URI to use as the error page when access is denied to users. If IAP prevents access to this page, the default IAP error page will be displayed instead.

JSON representation 
{
  "accessDeniedPageUri": string,
  "generateTroubleshootingUri": boolean
}
Fields
accessDeniedPageUri

string

The URI to be redirected to when access is denied.
generateTroubleshootingUri

boolean

Whether to generate a troubleshooting URL on access denied events to this application.