Enable IAP using a Google-managed OAuth client

This page describes how to enable Identity-Aware Proxy (IAP) fora Google Cloud resource, using a Google-managedOAuth client.

When enabling IAP on a resource using a Google-managedOAuth client, only users within the organization in which the resource iscontained can access that resource. If you want to allow users outside ofthe organization access to an IAP-enabled resource,enablecustom OAuth credentials.

Enable IAP for a new resource

New Google Cloud resources don't have IAP enabled.Complete the following steps to enable IAP on a new resource.

  1. In the Google Cloud console, go to the IAP page.

    Go to the IAP page

  2. Click theApplications tab.

  3. From the list of resources, select the resource for which you want to enableIAP.

  4. In theIAP column, click the toggle to the on position.

  5. For theTurn on IAP option, clickTurn on.

Set up custom OAuth credentials for a resource

To allow users outside of the organization access to anIAP-enabled resource, complete the following steps.

  1. In the Google Cloud console, go to the IAP page.

    Go to the IAP page

  2. Click theApplications tab.

  3. In the list of resources, go to the settings of the resource for which youwant to configure custom OAuth credentials.

  4. Select theEnable custom OAuth credentials to allow users outside of thisorganization to access this application checkbox.

  5. In theOAuth configuration dialog, enter a client ID and secret.

  6. Optional: To have a client ID and secret generated for you, clickAuto generate credentials.

    You can download the client credentials to a CSV file, or delete thecredentials. After you save your changes, custom client credentials cannotbe retrieved, so we recommend that you save your credentials.

    If you delete the credentials, the auto-generated OAuth clientis also deleted.

  7. To save your changes, ClickSave. Saving your changes does not changethe IAP enabled state.

Change to a Google-managed OAuth client

You can change resources using a custom OAuth client to use a Google-managedOAuth client by completing the following steps.

  1. In the Google Cloud console, go to the IAP page.

    Go to the IAP page

  2. Click theApplications tab.

  3. In the list of resources, go to the settings of the resource for which youwant to change to use a Google-managed OAuth client.

  4. Deselect theEnable custom OAuth credentials to allow users outside of thisorganization to access this application checkbox.

  5. ClickSave.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.