A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from http://cloud.google.com/iap/docs/custom-oauth-configuration below:

Customize an OAuth configuration to enable IAP | Identity-Aware Proxy

Skip to main content Customize an OAuth configuration to enable IAP

Stay organized with collections Save and categorize content based on your preferences.

This document describes when and how to customize an OAuth configuration for Identity-Aware Proxy (IAP).

IAP uses a Google-managed OAuth client to authenticate users.

The Google-managed OAuth client restricts access to users within the same organization when accessing IAP-enabled applications through a browser.

When to use a custom OAuth configuration

You must use a custom OAuth configuration to do the following:

When you customize your OAuth configuration, you must configure the OAuth consent screen. This requires that the branding information for your application go through the Google verification process. For more information about the verification process, see Setting up your OAuth consent screen.

You are responsible for creating and managing the credentials for a custom OAuth client. This includes storing the client secret securely and sharing it with authorized users when necessary.

Google managed OAuth client and custom OAuth client comparison

Google-managed OAuth clients cannot programmatically access IAP-protected applications. However, IAP-protected applications that use the Google-managed OAuth client can still be accessed programmatically using a separate OAuth client configured through the programmatic_clients setting or a service account JWT.

The following table provides a comparison between the Google-managed OAuth client and a custom OAuth client.

Google managed OAuth client Custom OAuth client Users Internal only Internal and External Brand Google Cloud brand Customer owned brand OAuth configuration Google configured Customer configured OAuth credentials Google managed Customer managed Application access Browser flow only Browser flow and Programmatic access Important: The Google-managed OAuth client doesn't create a new OAuth client and secret for every application, but uses an internal Google-managed client. You can ignore the OAuth client warnings when enabling IAP with the Google-managed OAuth client in the Google Cloud console. Enable IAP using a custom OAuth client configuration

The following sections explain how to enable IAP using a custom OAuth client configuration for different resources.

App Engine Console

Dynamic include file

If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.

Setting up IAP access
  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.
  3. Select the checkbox next to the resource you want to grant access to.
  4. On the right side panel, click Add principal.
  5. In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of principals can have this role:

    Make sure to add a Google Account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.
Turning on IAP
  1. On the Identity-Aware Proxy page, under APPLICATIONS, find the application you want to restrict access to. To turn on IAP for a resource, toggle the on/off switch in the IAP column.
  2. In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.
gcloud

Before you set up your project and IAP, you need an up-to-date version of gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.

  1. To authenticate, use the Google Cloud CLI and run the following command. 
    gcloud auth login
  2. To sign in, follow the URL that appears.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run the following command to specify the project that contains the resource that you want to protect with IAP. 
    gcloud config set project PROJECT_ID
  5. Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.
  6. Save the OAuth client ID and secret.
  7. To enable IAP, run the following command. 
    gcloud iap web enable \
    --oauth2-client-id=CLIENT_ID \
    --oauth2-client-secret=CLIENT_SECRET \
    --resource-type=app-engine

After you enable IAP, you can use the gcloud CLI to modify the IAP access policy using the IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

API

  1. Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.

  2. Save the OAuth client ID and secret.

  3. Run the following command to prepare a settings.json file.

    cat << EOF > settings.json
{
"iap":
  {
    "enabled": true,
    "oauth2ClientId": "CLIENT_ID",
    "oauth2ClientSecret":" CLIENT_SECRET"
  }
}
EOF

  4. Run the following command to enable IAP.

    curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @settings.json \
"https://appengine.googleapis.com/v1/apps/PROJECT_ID?updateMask=iap"

After you enable IAP, you can use the Google Cloud CLI to modify the IAP access policy using the IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

Compute Engine Console

If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.

If you are running GKE clusters version 1.24 or later, you can configure IAP and GKE by using the Kubernetes Gateway API. To do so, complete the following steps and then follow the instructions in Configure IAP. Do not configure BackendConfig.

Setting up IAP access
  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.

  3. Select the checkbox next to the resource you want to grant access to.

    If you don't see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controller is synced.

    To verify that the backend service is available, run the following gcloud command:

    gcloud compute backend-services list
  4. On the right side panel, click Add principal.
  5. In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of principals can have this role:

    Make sure to add a Google Account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.
Turning on IAP
  1. On the Identity-Aware Proxy page, under APPLICATIONS, find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource, toggle the on/off switch in the IAP column.
    To enable IAP:
  2. In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.
gcloud

Before you set up your project and IAP, you need an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.

  1. To authenticate, use the Google Cloud CLI and run the following command. 
    gcloud auth login
  2. To sign in, follow the URL that appears.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run the following command to specify the project that contains the resource that you want to protect with IAP. 
    gcloud config set project PROJECT_ID
  5. Follow the instructions in Creating OAuth clients for IAP. to configure the OAuth consent screen and create the OAuth client.
  6. Save the OAuth client ID and secret.
  7. To enable IAP, run either the globally or regionally scoped command.

    Global scope

    gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --global \
    --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET
    Regional scope 
    gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --region REGION_NAME \
    --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET

After you enable IAP, you can use the gcloud CLI to modify the IAP access policy using the IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

API

  1. Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.

  2. Save the OAuth client ID and secret.

  3. Run the following command to prepare a settings.json file.

    cat << EOF > settings.json
{
"iap":
  {
    "enabled": true,
    "oauth2ClientId": "CLIENT_ID",
    "oauth2ClientSecret": "CLIENT_SECRET"
  }
}
EOF

  4. Run the following command to enable IAP.

    curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @settings.json \
"https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/REGION/backendServices/BACKEND_SERVICE_NAME"

After you enable IAP, you can use the gcloud CLI to modify the IAP access policy using the IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

Cloud Run Console

If you haven't configured your project's OAuth consent screen, you're prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen

Setting up IAP access
  1. Open the Identity-Aware Proxy page.
    Go to Identity-Aware Proxy
  2. Select the project you want to secure with IAP.
  3. Under Applications, select the checkbox next to the load balancer backend service to which you want to add members.
  4. On the right side panel, click Add member.

  5. In the Add members dialog, enter the accounts of groups or individuals who should have the IAP-secured Web App User role for the project. The following kinds of accounts can be members:

  6. Select Cloud IAP > IAP-secured Web App User from the Roles list.

  7. Click Save.

Turning on IAP
  1. On the IAP page, under Applications, find the load balancer backend service to which you want to restrict access. Click the IAP toggle to enable IAP on a resource.
  2. In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.

  3. To authorize IAP to send traffic to the backend Cloud Run service, follow the instructions at Add principals to a service to add the following principle and role.

gcloud
  1. Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.
  2. Save the OAuth client ID and secret.
  3. If you have not previously done so, create a service account by running the following command. If you previously created a service account, running the command does not create duplicate service accounts. 
    gcloud beta services identity create \
    --service=iap.googleapis.com --project=PROJECT_ID
  4. Grant the invoker permission to the service account, created in the previous step, by running the following command. 
    gcloud run services add-iam-policy-binding SERVICE-NAME \
    --member='serviceAccount:service-PROJECT-NUMBER@gcp-sa-iap.iam.gserviceaccount.com' \
    --role='roles/run.invoker'

  5. Enable IAP by running either the globally or regionally scoped command, depending on whether your load balancer backend service is global or regional. Use the OAuth client ID and secret from the previous step.

    Global scope

    gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --global \
    --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET

    Regional scope

    gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --region REGION_NAME \
    --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET
    Replace the following:

After you enable IAP, you can use the Google Cloud CLI to modify the IAP access policy using the Identity and Access Management role roles/iap.httpsResourceAccessor. See Managing roles and permissions for more information.

Google Kubernetes Engine Console

If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.

If you are running GKE clusters version 1.24 or later, you can configure IAP and GKE by using the Kubernetes Gateway API. To do so, complete the following steps and then follow the instructions in Configure IAP. Do not configure BackendConfig.

Setting up IAP access
  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.

  3. Select the checkbox next to the resource you want to grant access to.

    If you don't see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controller is synced.

    To verify that the backend service is available, run the following gcloud command:

    gcloud compute backend-services list
  4. On the right side panel, click Add principal.
  5. In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of principals can have this role:

    Make sure to add a Google Account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.
Turning on IAP
  1. On the Identity-Aware Proxy page, under APPLICATIONS, find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource, toggle the on/off switch in the IAP column.
    To enable IAP:
  2. In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.
GKE Configure the BackendConfig

If you are running GKE clusters version 1.24 or later, you can configure IAP and GKE by using the Kubernetes Gateway API. See Configure IAP for instructions.

  1. Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.

  2. Create a Kubernetes Secret to wrap the OAuth client.

    kubectl create secret generic MY_SECRET --from-literal=client_id=CLIENT_ID \
  --from-literal=client_secret=CLIENT_SECRET
    Replace the following:

    You should receive confirmation, like the following output, that the Secret was successfully created:

    secret "MY_SECRET" created

  3. Add the OAuth credentials to the BackendConfig.

    apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: CONFIG_DEFAULT
  namespace: my-namespace
spec:
iap:
  enabled: true
  oauthclientCredentials:
    secretName: MY_SECRET

  4. Enable IAP by associating Service ports with your BackendConfig. See Associating BackendConfig with your Ingress. One way to make this association is to make all ports for the service default to your BackendConfig, which you can do by adding the following annotation to your Service resource:

    metadata:
  annotations:
      beta.cloud.google.com/backend-config: '{"default": "CONFIG_DEFAULT"}}'

After you enable IAP, you can use the gcloud CLI to modify the IAP access policy using the IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.

Troubleshooting

If the secretName you referenced doesn't exist or isn't structured properly, one of the following error messages will display:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4