IAP release notes

This page documents production updates to IAP. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

Current version: release

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly: https://cloud.google.com/feeds/iap-release-notes.xml

February 01, 2024

Effective January 12, 2024, a BeyondCorp Enterprise license is no longer required to deploy internal applications with an internal load balancer when securing those applications with Identity-Aware Proxy. This provides a consistent experience when using Identity-Aware Proxy with all load balancers.

January 16, 2024

A BeyondCorp Enterprise license is no longer required when configuring Identity-Aware Proxy with an internal load balancer.

This note is incomplete; see entry for February 1, 2024.

August 17, 2023

Authenticating users with a Google-managed OAuth client and allowlisting OAuth clients for programmatic access are available in Preview.

April 07, 2023

Support for Identity-aware Proxy (IAP) with Cloud Run to use identity and context to guard access to your applications is now at general availability (GA).

September 16, 2021

Security bulletin c2agxr12ne

Certain Google Cloud load balancers routing to an Identity-Aware Proxy enabled Backend Service could have been vulnerable to an untrusted party under limited conditions.

For details, see GCP-2021-020

May 29, 2020

The ability to authenticate users with external identities is now generally available.

February 12, 2020

API for OAuth clients now generally available

You can now programmatically create OAuth clients in IAP via REST or gcloud. See this topic for more information.

August 07, 2019

Cloud IAP TCP forwarding general availability release

Using Cloud IAP for TCP forwarding is now generally available. Cloud IAP for TCP forwarding lets you control who can access administrative services like SSH and RDP on your backends.

April 10, 2019

Cloud IAP with context-aware access general availability release

The ability to extend Cloud IAP access policies with access levels and the IAM Conditions Framework is now generally available.

February 26, 2019

Cloud IAP for on-premises apps general availability release

You can now manage access to HTTP-based apps outside of Google Cloud Platform. This includes apps on-premises in your enterprise's data centers and on other cloud providers.

February 14, 2019

Cloud IAP Per-Resource Policies general availability release

The ability to manage Cloud IAP policies for each individual resource in a Google Cloud Platform project is now generally available.

January 22, 2019

Cloud IAP TCP forwarding beta release

You can now use Cloud IAP for TCP forwarding, allowing you to control who can access administrative services like SSH and RDP on your backends.

October 04, 2018

Cloud IAP with context-aware access beta release

Cloud IAP access policies for Cloud IAP-secured applications, services, and versions have been extended to use access levels and the IAM Conditions Framework. Access levels allow access restrictions to resources based on IP address and end-user device attributes. IAM conditions allow access restrictions based on URL hosts, paths, date, and time.

August 16, 2018

Cloud IAP Per-Resource Policies beta release

Cloud IAP policies can now be managed for each individual resource in a GCP project.

August 31, 2017

Welcome to the Cloud IAP general release for App Engine standard environment, Compute Engine, and GKE!

Cloud IAP for App Engine flexible environment is still in beta. This feature is not covered by any SLA or deprecation policy and may be subject to backward-incompatible changes for App Engine flexible environment.

Java code samples were updated with security enhancements on August 15, 2017. If you're using the Java signed headers code sample, please update your application per the current samples.

When you use the programmatic authentication feature, the aud claim in the JWT must now be the Cloud IAP client ID. Previously, it could also be the application URL. For applications that used programmatic authentication recently, we placed this feature on our whitelist. We will remove the functionality on November 15, 2017. For details and updated code samples, refer to programmatic authentication.

Due to internal security enhancements, App Engine standard environment apps no longer require login: required in app.yaml (or security-constraint for Java).

Forseti Security is now available and strongly encouraged for Compute Engine apps. If you have any questions or require assistance, please post to discuss@forsetisecurity.org.

Cloud IAP now supports Cloud Audit Logging. Learn about enabling Cloud Audit Logging.

Cloud IAP now supports desktop and command-line applications. Learn about authenticating from a desktop app.

AJAX requests with missing or expired credentials will now get an HTTP 401 response instead of being served a Google login page.

August 07, 2017

Cloud IAP can once again be enabled for App Engine flexible environment apps.

July 20, 2017

Cloud IAP now supports special URLs to help you enhance and personalize your app.

July 14, 2017

Cloud IAP now uses the following values when you secure your app with signed headers:

  • The JWT is now in the HTTP request header x-goog-iap-jwt-assertion instead of x-goog-authenticated-user-jwt.
  • When you verify the ID token payload, the aud value should now be a string with client ID details instead of a URL.

July 11, 2017

June 19, 2017

Cloud Audit Logging is now available for Cloud IAP-secured resources. Read about how to Enable Cloud Audit Logging.

The Cloud IAP 403 "failed access" page now includes product and email details from the OAuth consent screen. As with the login page, these details are publicly visible to anyone who accesses your URL. You can change the information that displays on the OAuth consent screen.

June 07, 2017

Added information about Authenticating from a desktop app for Cloud IAP-secured resources.

April 17, 2017

When you use Cloud IAP with Compute Engine, GKE, or the App Engine flexible environment, you must also use signed headers to secure your app.

Cloud IAP can't currently be enabled for App Engine flexible environment apps.

March 09, 2017

Cloud IAP has a static 403 "failed access" page. In a future release, admins will be able to customize the failure message text.