This page documents production updates to Cloud IAP. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
Current version: release
August 31, 2017
Welcome to the Cloud IAP general release for App Engine standard environment, Compute Engine, and Kubernetes Engine!
Cloud IAP for App Engine flexible environment is still in beta. This feature is not covered by any SLA or deprecation policy and may be subject to backward-incompatible changes for App Engine flexible environment.
Java code samples were updated with security enhancements on August 15, 2017. If you’re using the Java signed headers code sample, please update your application per the current samples.
When you use the programmatic authentication feature, the aud claim in the JWT must now be the Cloud IAP client ID. Previously, it could also be the application URL. For applications that used programmatic authentication recently, we placed this feature on our whitelist. We will remove the functionality on November 15, 2017. For details and updated code samples, refer to programmatic authentication.
Due to internal security enhancements,
App Engine standard environment apps no longer require
login: required in
security-constraint for Java).
Cloud IAP now supports Cloud Audit Logging. Learn about enabling Cloud Audit Logging.
Cloud IAP now supports desktop and command-line applications. Learn about authenticating from a desktop app.
AJAX requests with missing or expired credentials will now get an HTTP 401 response instead of being served a Google login page.
August 7, 2017
Cloud IAP can once again be enabled for App Engine flexible environment apps.
July 20, 2017
Cloud IAP now supports special URLs to help you enhance and personalize your app.
July 14, 2017
Cloud IAP now uses the following values when you secure your app with signed headers:
The JWT is now in the HTTP request header
verify the ID token payload,
audvalue should now be a string with client ID details instead of a URL.
July 11, 2017
Added best practices for caching.
June 19, 2017
Cloud Audit Logging is now available for Cloud IAP-secured resources. Read about how to Enable Cloud Audit Logging.
The Cloud IAP 403 "failed access" page now includes product and email details from the OAuth consent screen. As with the login page, these details are publicly visible to anyone who accesses your URL. You can change the information that displays on the OAuth consent screen.
June 7, 2017
Added information about Authenticating from a desktop app for Cloud IAP-secured resources.
April 17, 2017
When you use Cloud IAP with Compute Engine, Kubernetes Engine, or the App Engine flexible environment, you must also use signed headers to secure your app.
Cloud IAP can't currently be enabled for App Engine flexible environment apps.
March 9, 2017
Welcome to the Cloud Identity-Aware Proxy beta!
Cloud IAP has a static 403 "failed access" page. In a future release, admins will be able to customise the failure message text.