Enable IAP for Compute Engine

This page explains how to secure a Compute Engine instance withIdentity-Aware Proxy (IAP).

Before you begin

To enable IAP for Compute Engine, you need thefollowing:

If you don't have your Compute Engine instance set up already, seeSetting up IAP for Compute Enginefor a complete walkthrough.

IAP uses a Google-managed OAuth client to authenticate users.Only users within the organization can access the IAP-enabledapplication. If you want to allow access to users outside of your organization,seeEnable IAP for external applications.

Note: The ability to authenticate users with a Google-managed OAuth client is available inPreview.

You can enable IAP on a Compute Enginebackend service or on aCompute Engineforwarding rule.When you enable IAP on a Compute Engine backend service,only that backend service is protected by IAP. When you enableIAP on a Compute Engine forwarding rule, all of theCompute Engine instances behind the forwarding rule are protected byIAP.

Enable IAP on a forwarding rule

You can enable IAP on a forwarding rule by using theload balancerauthorization policiesframework.

gcloud

  1. Run the following command to prepare apolicy.yaml file.The policy allows clients with an IP address range of10.0.0.0/24 toenable IAP on a forwarding rule.
$ cat << EOF > policy.yamlaction:CUSTOMdescription:authz policy with Cloud IAPname:AUTHZ_POLICY_NAMEhttpRules:-from:sources:-ipBlocks:-prefix:"10.0.0.0"length:24customProvider:cloudIap:{}target:loadBalancingScheme:EXTERNAL_MANAGEDresources:-https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_IDEOF
  1. Run the following command to enable IAP on a forwarding rule.
gcloud network-security authz-policies importAUTHZ_POLICY_NAME \--source=policy.yaml \--location=LOCATION \--project=PROJECT_ID

Replace the following:

  • PROJECT_ID: The Google Cloud project ID.
  • LOCATION: The region that the resource is located in.
  • FORWARDING_RULE_ID: The ID of the forwarding rule resource.
  • AUTHZ_POLICY_NAME: The name of the authorization policy.

API

  1. Run the following command to prepare apolicy.json file.
    cat << EOF > policy.json{"name": "AUTHZ_POLICY_NAME","target": {  "loadBalancingScheme": "INTERNAL_MANAGED",  "resources": [    "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID"  ],},"action": "CUSTOM","httpRules": [  {    "from": {      "sources": {        "ipBlocks": [          {            "prefix": "10.0.0.0",            "length": 24          }        ]      }    }  }],"customProvider": {  "cloudIap": {}}}EOF

  2. Run the following command to enable IAP on a forwarding rule.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Accept: application/json" \-H "Content-Type: application/json" \-d @policy.json \"https://networksecurity.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/authzPolicies"

    Replace the following:

    • PROJECT_ID: The Google Cloud project ID.
    • LOCATION: The region that the resource is located in.
    • FORWARDING_RULE_ID: The ID of the forwarding rule resource.
    • AUTHZ_POLICY_NAME: The name of the authorization policy.

After you enable IAP on a forwarding rule, you canapply permissions to resources.

Enable IAP on a Compute Engine backend service

You can enable IAP on a Compute Engine backend servicethrough that backend service.

console

The Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.

If you haven't configured your project's OAuth consent screen, you'll beprompted to do so. To configure your OAuth consent screen, seeSetting up your OAuth consent screen.

If you are running GKE clusters version 1.24 or later, you can configureIAP and GKE by using the Kubernetes Gateway API. To do so, completethe following steps and then follow the instructions inConfigure IAP.Do not configureBackendConfig.

Setting up IAP access

  1. Go to theIdentity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.

  3. Select the checkbox next to the resource you want to grant access to.

    If you don't see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controller is synced.

    To verify that the backend service is available, run the following gcloud command:

    gcloud compute backend-services list
  4. On the right side panel, clickAdd principal.
  5. In theAdd principals dialog that appears, enter the email addresses of groups or individuals who should have theIAP-secured Web App User role for the project.

    The following kinds of principals can have this role:

    • Google Account: user@gmail.com
    • Google Group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com

    Make sure to add a Google Account that you have access to.

  6. SelectCloud IAP > IAP-secured Web App User from theRoles drop-down list.
  7. ClickSave.

Turning on IAP

  1. On theIdentity-Aware Proxy page, underAPPLICATIONS, find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource,
    To enable IAP:
    • At least one protocol in the load balancer frontend configuration must be HTTPS. Learn aboutsetting up a load balancer.
    • You need thecompute.backendServices.update,clientauthconfig.clients.create,clientauthconfig.clients.update, andclientauthconfig.clients.getWithSecret permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, seeManaging access to IAP-secured resources.
  2. In theTurn on IAP window that appears, clickTurn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with theIAP-Secured Web App User role on the project will be given access.

gcloud

Before you set up your project and IAP, you need an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI,seeInstall the gcloud CLI.

  1. To authenticate, use the Google Cloud CLI and run the following command.
    gcloud auth login
  2. To sign in, follow the URL that appears.
  3. After you sign in, copy the verification code that appears and paste it in the command line.
  4. Run the following command to specify the project that contains the resource that you want to protect with IAP.
    gcloud config set projectPROJECT_ID
  5. To enable IAP, run either the globally or regionally scoped command.

    Global scope
    gcloud compute backend-services updateBACKEND_SERVICE_NAME --global --iap=enabled
     Regional scope
    gcloud compute backend-services updateBACKEND_SERVICE_NAME --regionREGION_NAME --iap=enabled

After you enable IAP, you can use the gcloud CLI to modifythe IAP access policy using the IAM roleroles/iap.httpsResourceAccessor. Learn more aboutmanaging roles and permissions.

API

  1. Run the following command to prepare asettings.json file.

    cat << EOF > settings.json{"iap":  {    "enabled":true  }}EOF

  2. Run the following command to enable IAP.

    curl -X PATCH \-H "Authorization: Bearer $(gcloud auth print-access-token)" \-H "Accept: application/json" \-H "Content-Type: application/json" \-d @settings.json \"https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/REGION/backendServices/BACKEND_SERVICE_NAME"

After you enable IAP, you can use the Google Cloud CLI to modify theIAP access policy using the IAM roleroles/iap.httpsResourceAccessor. Learn more aboutmanaging roles and permissions.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.