Enabling IAP for Compute Engine  |  Identity-Aware Proxy  |  Google Cloud (2024)

  • Home
  • Identity-Aware Proxy
  • Documentation
  • Guides
Stay organized with collections Save and categorize content based on your preferences.

This page explains how to secure a Compute Engine instance withIdentity-Aware Proxy (IAP).

Before you begin

To enable IAP for Compute Engine, you need thefollowing:

  • A Google Cloud console project with billing enabled.
  • A group of one or more Compute Engine instances, served by a loadbalancer.
    • Learn about Setting up an external HTTPS load balancer.
    • Learn about setting up an internal HTTP load balancer.
  • A domain name registered to the address of your load balancer.
  • Application code to verify that all requests have an identity.
    • Learn about Getting the user's identity.

If you don't have your Compute Engine instance set up already, seeSetting up IAP for Compute Enginefor a complete walkthrough.

IAP uses a Google-managed OAuth client to authenticate users.Only users within the organization can access the IAP-enabledapplication. If you want to allow access to users outside of your organization,see Enable IAP for external applications.

Enabling IAP


The Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.

If you haven't configured your project's OAuth consent screen, you'll beprompted to do so. To configure your OAuth consent screen, seeSetting up your OAuth consent screen.

Setting up IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.
  3. Select the checkbox next to the resource you want to grant access to.

    If you don't see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controller is synced.

    To verify that the backend service is available, run the following gcloud command:

    gcloud compute backend-services list
  4. On the right side panel, click Add principal.
  5. In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of principals can have this role:

    • Google Account: user@gmail.com
    • Google Group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com

    Make sure to add a Google Account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.

Turning on IAP

  1. On the Identity-Aware Proxy page, under APPLICATIONS, find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource, toggle the on/off switch in the IAP column.
    To enable IAP:
    • At least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
    • You need the compute.backendServices.update, clientauthconfig.clients.create, and clientauthconfig.clients.getWithSecret permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, see Managing access to IAP-secured resources.
  2. In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.


Before you set up your project and IAP, you need an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI,see Install the gcloud CLI.

  1. To authenticate, use the Google Cloud CLI and run the following command.
    gcloud auth login
  2. To sign in, follow the URL that appears.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run the following command to specify the project that contains the resource that you want to protect with IAP.
    gcloud config set project PROJECT_ID
  5. To enable IAP, run either the globally or regionally scoped command.

    Global scope

    gcloud compute backend-services update BACKEND_SERVICE_NAME --global --iap=enabled
    Regional scope
    gcloud compute backend-services update BACKEND_SERVICE_NAME --region REGION_NAME --iap=enabled

After you enable IAP, you can use the gcloud CLI to modifythe IAP access policy using the IAM roleroles/iap.httpsResourceAccessor. Learn more aboutmanaging roles and permissions.


  1. Run the following command to prepare a settings.json file.

    cat << EOF > settings.json{"iap": { "enabled":true }}EOF
  2. Run the following command to enable IAP.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Accept: application/json" \-H "Content-Type: application/json" \-d @settings.json \"https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/REGION/backendServices/BACKEND_SERVICE_NAME"

After you enable IAP, you can use the Google Cloud CLI to modify theIAP access policy using the IAM roleroles/iap.httpsResourceAccessor. Learn more aboutmanaging roles and permissions.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-05-09 UTC.

Enabling IAP for Compute Engine  |  Identity-Aware Proxy  |  Google Cloud (2024)


How to enable IAP? ›

Set up IAP
  1. In the Google Cloud console, go to the Security > Identity-Aware Proxy page and select the project for which you want to enable IAP. ...
  2. If you haven't configured your project's OAuth consent screen, you'll be prompted to do so: ...
  3. Next to my-backend-service, toggle the on/off switch in the IAP column.

How to enable IAP on VM? ›

Grant access to a specific VM
  1. Open the IAP admin page and select the SSH and TCP Resources tab. ...
  2. On the SSH and TCP Resources tab of the IAP admin page, select the VM instances that you want to configure.
  3. Click Show info panel if the info panel is not visible.
  4. Click Add principal and configure the following: ...
  5. Click Save.

What is an IAP identity-aware proxy? ›

IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls. IAP policies scale across your organization.

How to use IAP with cloud run? ›

To allow IAP to access the Cloud Run service, grant the IAP service account role service-[PROJECT_NUMBER]@gcp-sa-iap.iam.gserviceaccount.com with the Cloud Run Invoker role. IAP generates an ID token, and uses the token to authenticate to Cloud Run using the X-Serverless-Authorization header.

How do I enable IAP in-App Engine? ›

Setting up IAP access
  1. Go to the Identity-Aware Proxy page. ...
  2. Select the project you want to secure with IAP.
  3. Select the checkbox next to the resource you want to grant access to.
  4. On the right side panel, click Add principal.

What is IAP in cloud computing? ›

Identity-Aware Proxy includes a number of features that can be used to protect access to Google Cloud hosted resources and applications hosted on Google Cloud at no charge. (Networking and compute charges apply for required load balancing.

What is an identity-aware proxy in GCP? ›

Identity-Aware Proxy (IAP) is a Google Cloud service that intercepts web requests sent to your application, authenticates the user making the request using the Google Identity Service, and only lets the requests through if they come from a user you authorize.

How do I grant permissions to use IAP TCP forwarding? ›

Go to the IAP page. On the SSH and TCP resources tab, select the destination group for which you want to configure permissions. In the panel that opens, click Add principal and enter an email address for the user. In the Assign roles section, select a role to assign to the principal.

What is IAP used for? ›

Identity-Aware Proxy (IAP) allows you to manage access to HTTP-based apps outside of Google Cloud. This includes apps on-premises in your enterprise's data centers. To learn how to secure on-premises apps with IAP, see Setting up IAP for on-premises apps.

How does IAP work? ›

Features of Cloud Identity-Aware Proxy

Authorization: IAP uses role-based access control (RBAC) to determine what resources users have access to. This means that you can control what users can do with your applications, even if they have valid credentials.

What is IAP in Azure? ›

Capita's Intelligent Automation Platform (IAP) is an industry leading solution using a hub and spoke model deployable in all Azure regions that can scale at speed and pace.

What is the difference between app engine and cloud run? ›

Cloud Run does not have a top-level Application resource, or the corresponding default service. Cloud Run services in the same project can be deployed to different regions. In App Engine, all services in the project are in the same region.

What is a cloud run proxy? ›

Cloud Run Proxy is a small proxy to assist in authenticating as an end-user to Google Cloud Run.

How do I deploy an API to the cloud? ›

Make sure that billing is enabled for your Google Cloud project.
  1. Starting Cloud Shell.
  2. Getting the sample code.
  3. Deploying the Endpoints configuration.
  4. Enabling required services.
  5. Deploying the API backend.
  6. Sending requests to the API.
  7. Tracking API activity.
  8. Adding a quota to the API.

How to implement IAP in Unity? ›

Setting up Unity IAP
  1. Define your In-app purchase strategy for this game.
  2. Setup your project as a Unity service.
  3. Activate IAP to automatically install the package.
  4. Configure settings.
  5. Create and catalog your the in-game items that you want to sell.
  6. Use the Codeless IAP button to give users a way to buy items.

How do I enable action API? ›

To enable an API for a project using the console:
  1. Go to the Google Cloud console API Library.
  2. From the projects list, select the project you want to use.
  3. In the API Library, select the API you want to enable. If you need help finding the API, use the search field and/or the filters.
  4. On the API page, click ENABLE.

What is IAP in-app payments? ›

What does in-app purchase (IAP) mean? In-app purchases (IAPs) are one of the primary models app publishers use to monetize their apps. An in-app purchase is any fee in addition to the cost to download the app on a smartphone or tablet. IAPs allow users to buy additional features, content, or services within an app.

What is IAP in Android? ›

In-app purchases (IAPs) allow users to buy consumable items, non-consumable items, and subscriptions within an app.

Top Articles
Latest Posts
Article information

Author: Tish Haag

Last Updated:

Views: 5508

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Tish Haag

Birthday: 1999-11-18

Address: 30256 Tara Expressway, Kutchburgh, VT 92892-0078

Phone: +4215847628708

Job: Internal Consulting Engineer

Hobby: Roller skating, Roller skating, Kayaking, Flying, Graffiti, Ghost hunting, scrapbook

Introduction: My name is Tish Haag, I am a excited, delightful, curious, beautiful, agreeable, enchanting, fancy person who loves writing and wants to share my knowledge and understanding with you.