configuring-identity-aware-proxy-with-google-iap
Configuring Google Cloud Identity-Aware Proxy (IAP) to enforce per-request identity verification for Compute Engine, App Engine, Cloud Run, and GKE services using access levels, context-aware policies, and programmatic access with service accounts.
What this skill does
# Configuring Identity-Aware Proxy with Google IAP ## When to Use - When protecting Google Cloud applications (App Engine, Cloud Run, GKE, Compute Engine) with identity-based access - When implementing context-aware access requiring device posture and location verification - When providing secure access to internal tools without VPN or public IP exposure - When needing per-request authentication and authorization for web applications and TCP services - When configuring programmatic access to IAP-protected resources using service accounts **Do not use** for non-HTTP applications that cannot be placed behind an HTTPS load balancer, for public-facing applications that need unauthenticated access, or when applications handle their own authentication and IAP would conflict with existing auth flows. ## Prerequisites - Google Cloud project with billing enabled - IAP API enabled (`gcloud services enable iap.googleapis.com`) - Application deployed behind HTTPS Load Balancer, App Engine, or Cloud Run - Cloud Identity or Google Workspace for user management - Access Context Manager API enabled for access levels - OAuth consent screen configured for the project ## Workflow ### Step 1: Enable IAP on Backend Services Configure IAP for different GCP compute platforms. ```bash # Enable required APIs gcloud services enable iap.googleapis.com gcloud services enable accesscontextmanager.googleapis.com # Create OAuth consent screen gcloud iap oauth-brands create \ --application_title="Internal Applications" \ [email protected] # Create OAuth client gcloud iap oauth-clients create \ projects/PROJECT_ID/brands/BRAND_ID \ --display_name="IAP Web Client" # === Enable IAP on Compute Engine Backend Service === gcloud compute backend-services update my-backend-service \ --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \ --global # === Enable IAP on App Engine === gcloud iap web enable \ --resource-type=app-engine \ --oauth2-client-id=CLIENT_ID \ --oauth2-client-secret=CLIENT_SECRET # === Enable IAP on Cloud Run === # First grant IAP service account the Cloud Run Invoker role gcloud run services add-iam-policy-binding my-service \ --member="serviceAccount:[email protected]" \ --role="roles/run.invoker" \ --region=us-central1 # Enable IAP on the Cloud Run backend service gcloud compute backend-services update my-cloud-run-backend \ --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \ --global # === Enable IAP TCP Forwarding for SSH/RDP === # No load balancer needed - uses IAP tunnel gcloud compute instances add-iam-policy-binding my-vm \ --member="group:[email protected]" \ --role="roles/iap.tunnelResourceAccessor" \ --zone=us-central1-a # SSH through IAP tunnel gcloud compute ssh my-vm --zone=us-central1-a --tunnel-through-iap # RDP through IAP tunnel gcloud compute start-iap-tunnel my-windows-vm 3389 \ --local-host-port=localhost:3390 \ --zone=us-central1-a ``` ### Step 2: Configure IAM Bindings for Access Control Grant access to specific users and groups with optional access level conditions. ```bash # Grant basic access to a group gcloud iap web add-iam-policy-binding \ --resource-type=backend-services \ --service=my-backend-service \ --member="group:[email protected]" \ --role="roles/iap.httpsResourceAccessor" # Grant access with access level condition gcloud iap web add-iam-policy-binding \ --resource-type=backend-services \ --service=finance-app \ --member="group:[email protected]" \ --role="roles/iap.httpsResourceAccessor" \ --condition='expression=request.auth.access_levels.exists(x, x == "accessPolicies/POLICY_ID/accessLevels/corporate-device"),title=RequireCorporateDevice,description=Requires managed corporate device' # Grant access only during business hours gcloud iap web add-iam-policy-binding \ --resource-type=backend-services \ --service=admin-console \ --member="group:[email protected]" \ --role="roles/iap.httpsResourceAccessor" \ --condition='expression=request.time.getHours("America/New_York") >= 8 && request.time.getHours("America/New_York") <= 18 && request.time.getDayOfWeek("America/New_York") >= 1 && request.time.getDayOfWeek("America/New_York") <= 5,title=BusinessHoursOnly' # Grant access to a specific URL path gcloud iap web add-iam-policy-binding \ --resource-type=backend-services \ --service=internal-api \ --member="group:[email protected]" \ --role="roles/iap.httpsResourceAccessor" \ --condition='expression=request.path.startsWith("/api/v2/"),title=APIv2Access' ``` ### Step 3: Create Access Levels with Access Context Manager Define context-based access requirements using device attributes and network conditions. ```bash # Create access level requiring encrypted corporate device cat > managed-device.yaml << 'EOF' - devicePolicy: allowedEncryptionStatuses: - ENCRYPTED osConstraints: - osType: DESKTOP_WINDOWS minimumVersion: "10.0.19045" - osType: DESKTOP_MAC minimumVersion: "14.0" - osType: DESKTOP_CHROME_OS requireScreenlock: true requireAdminApproval: true allowedDeviceManagementLevels: - ADVANCED EOF gcloud access-context-manager levels create managed-device \ --policy=POLICY_ID \ --title="Managed Device" \ --basic-level-spec=managed-device.yaml # Create access level for corporate network cat > corp-network.yaml << 'EOF' - ipSubnetworks: - "203.0.113.0/24" - "198.51.100.0/24" regions: - US - GB EOF gcloud access-context-manager levels create corp-network \ --policy=POLICY_ID \ --title="Corporate Network" \ --basic-level-spec=corp-network.yaml # Create custom access level using CEL for complex logic cat > high-trust.yaml << 'EOF' expression: > device.encryption_status == DeviceEncryptionStatus.ENCRYPTED && device.is_admin_approved_device == true && ( origin.ip in ["203.0.113.0/24"] || device.os_type == OsType.DESKTOP_CHROME_OS ) && request.auth.claims.hd == "company.com" EOF gcloud access-context-manager levels create high-trust \ --policy=POLICY_ID \ --title="High Trust" \ --custom-level-spec=high-trust.yaml ``` ### Step 4: Configure Session Settings and Re-authentication Set session duration and re-authentication policies per application. ```bash # Configure re-authentication for a backend service # Requires login every 4 hours for sensitive apps gcloud iap settings set \ --project=PROJECT_ID \ --resource-type=compute \ --service=finance-app \ reauthSettings.method=LOGIN \ reauthSettings.maxAge=14400s \ reauthSettings.policyType=MINIMUM # Configure session settings for App Engine gcloud iap settings set \ --project=PROJECT_ID \ --resource-type=app-engine \ reauthSettings.method=SECURE_KEY \ reauthSettings.maxAge=3600s \ reauthSettings.policyType=MINIMUM # View current IAP settings gcloud iap settings get \ --project=PROJECT_ID \ --resource-type=compute \ --service=finance-app ``` ### Step 5: Configure Programmatic Access for Service Accounts Enable service-to-service communication through IAP-protected endpoints. ```python #!/usr/bin/env python3 """Access IAP-protected resource using service account credentials.""" import google.auth import google.auth.transport.requests from google.auth import impersonated_credentials import requests as req IAP_CLIENT_ID = "YOUR_IAP_OAUTH_CLIENT_ID.apps.googleusercontent.com" IAP_URL = "https://my-app.company.com/api/data" def access_iap_resource(): # Get default credentials (works with service account key or workload identity) credentials, project = google.auth.default() # Create IAP-authenticated request authed_session = google.auth.transport.requests.AuthorizedSession( credentials, target_audience=IAP_CLIENT_ID ) # Make request to IAP-protected resource response = authed_ses
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.