Use authorization policies to delegate authorization to IAP and IAM

This page describes how to use authorization policies to designateIdentity-Aware Proxy (IAP) as the custom authorization engine in anauthorization policy for Application Load Balancers.

To delegate authorization to IAP andIdentity and Access Management (IAM), you authorize traffic to a forwarding rule based onIAM or end-user identities for managed load balancers. This letsyou enforce IAP-based access control for your backend services.

Before you begin

Create the authorization policy and enable IAP

To create an authorization policy, you create a policy file that defines thetarget and rules, and then enable IAP on the forwarding rule. Youcan choose to apply IAP only to specific requests by definingconditions in thehttpRules section of your policy file. If thehttpRulessection is omitted, IAP is enforced on all requests.

gcloud

  1. Run the following command to prepare apolicy.yaml file.The policy allows clients with an IP address range of10.0.0.0/24 toenable IAP on a forwarding rule.
$ cat << EOF > policy.yamlaction:CUSTOMdescription:authz policy with Cloud IAPname:AUTHZ_POLICY_NAMEhttpRules:-from:sources:-ipBlocks:-prefix:"10.0.0.0"length:24customProvider:cloudIap:{}target:loadBalancingScheme:EXTERNAL_MANAGEDresources:-https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_IDEOF
  1. Run the following command to enable IAP on a forwarding rule.
gcloud network-security authz-policies importAUTHZ_POLICY_NAME \--source=policy.yaml \--location=LOCATION \--project=PROJECT_ID

Replace the following:

  • PROJECT_ID: The Google Cloud project ID.
  • LOCATION: The region that the resource is located in.
  • FORWARDING_RULE_ID: The ID of the forwarding rule resource.
  • AUTHZ_POLICY_NAME: The name of the authorization policy.

API

  1. Run the following command to prepare apolicy.json file.
    cat << EOF > policy.json{"name": "AUTHZ_POLICY_NAME","target": {  "loadBalancingScheme": "INTERNAL_MANAGED",  "resources": [    "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID"  ],},"action": "CUSTOM","httpRules": [  {    "from": {      "sources": {        "ipBlocks": [          {            "prefix": "10.0.0.0",            "length": 24          }        ]      }    }  }],"customProvider": {  "cloudIap": {}}}EOF

  2. Run the following command to enable IAP on a forwarding rule.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Accept: application/json" \-H "Content-Type: application/json" \-d @policy.json \"https://networksecurity.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/authzPolicies"

    Replace the following:

    • PROJECT_ID: The Google Cloud project ID.
    • LOCATION: The region that the resource is located in.
    • FORWARDING_RULE_ID: The ID of the forwarding rule resource.
    • AUTHZ_POLICY_NAME: The name of the authorization policy.

Apply permissions to resources

You can use the IAP API to apply IAMpermissions to individual resources in an IAP-secured project.IAM permissions granted at a certain level apply to all of thelevels underneath it. For example, a permission granted at the project levelapplies to all of the Google Cloud resources in the project.

Following are some example commands for configuring permissions. For moreinformation, seegcloud iap web set-iam-policy.

gcloud

In the example commands, replacePOLICY_FILE with the path to a YAMLformatted file that contains a valid policy. Following is an example YAMLfile:

bindings:members:user:example@example.comrole:roles/iap.httpsResourceAccessor

Update the permission for who can access the forwarding rule resource

gcloud iap web set-iam-policyPOLICY_FILE [--organization=ORGANIZATION \--folder=FOLDER --project=PROJECT_ID \--resource-type=RESOURCE_TYPE --service=SERVICE]

Configure permission at the organization level

gcloud iap web set-iam-policyPOLICY_FILE --organization=ORGANIZATION

Configure permission at the folder level

gcloud iap web set-iam-policyPOLICY_FILE --folder=FOLDER

Configure permission at the project level

gcloud iap web set-iam-policyPOLICY_FILE --project=PROJECT_ID --resource-type=iap_web

Configure permission for all global forwarding rules in a project

gcloud iap web set-iam-policyPOLICY_FILE --project=PROJECT_ID --resource-type=forwarding_rule

Configure permission for all forwarding rules in a project in a region

gcloud iap web set-iam-policyPOLICY_FILE --project=PROJECT_ID \--resource-type=forwarding_rule --region=REGION

Configure permission for a specific global forwarding rule in a project

gcloud iap web set-iam-policyPOLICY_FILE --project=PROJECT_ID \--resource-type=forwarding_rule --service=SERVICE

Configure permission for a specific forwarding rule in a project in a region

gcloud iap web set-iam-policyPOLICY_FILE --project=PROJECT_ID \--resource-type=forwarding_rule --service=SERVICE --region=REGION

Replace the following:

  • POLICY_FILE: The path to a YAML file that contains avalid policy.
  • ORGANIZATION: The ID of your organization.
  • FOLDER: The folder that contains your application.
  • PROJECT_ID: The Google Cloud project ID.
  • RESOURCE_TYPE: The IAP resource type. The resourcetype must beapp-engine,iap_web,compute,organization, orfolder.
  • SERVICE: The forwarding rule ID or name.
  • REGION: The region that the resource is located in.

API

Configure permission at the organization level

organization/ORGANIZATION

Configure permission at the folder level

folders/FOLDER

Configure permission at the project level

projects/PROJECT_ID

Configure permission for all global forwarding rules in a project

projects/PROJECT_ID/forwarding_rule

Configure permission for all forwarding rules in a project in a region

projects/PROJECT_ID/iap_web/forwarding_rule-REGION

Configure permission for a specific global forwarding rule in a project

projects/PROJECT_ID/iap_web/forwarding_rule/services/SERVICE

Configure permission for a specific forwarding rule in a project in a region

projects/PROJECT_ID/iap_web/forwarding_rule-REGION/services/SERVICE

Set the authorization policy

curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Accept: application/json" \-H "Content-Type: application/json" \-d @policy.json \"https://iap.googleapis.com/v1/RESOURCE_NAME:setIamPolicy"

Forpolicy.json, you can create the JSON file by running the followingcommand. Update the values as needed.

cat<< EOF > policy.json{  "bindings": {     "members": "user:example@example.com",     "role": "roles/iap.httpsResourceAccessor",   }}EOF

Replace the following:

  • ORGANIZATION: The ID of your organization.
  • FOLDER: The folder that contains your application.
  • PROJECT_ID: The Google Cloud project ID.
  • REGION: The region that the resource is located in.
  • SERVICE: The forwarding rule ID or name.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.