Step 4: Configure Identity-Aware Proxy (IAP)

In this step, you configure Identity-Aware Proxy (IAP) to provision acentralized authorization layer for the app deployed in Cloud Run, bydoing the following:

  1. Configure the OAuth consent screen: The OAuth consent screen is a prompt thatincludes a summary of your project, its policies, and the requestedauthorization scopes of access. By configuring the OAuth consent screen foryour app, you define what is available to users and app reviewers, and alsoregister your app so you can publish it later. To learn more aboutthe OAuth consent screen, seeConfigure the OAuth consent screen and choose scopes.

  2. Create OAuth access credentials: You need to create an OAuth client IDfor your app and domain, so your app can call the required APIs. To learn moreabout OAuth credentials, seeCreate access credentials.

  3. Enable IAP on the load balancer: Use the OAuth client ID andsecret to enable IAP on the load balancer that you created foryour app.

  4. Turn on IAP: Secure your app by creatingprincipals who can access your app and then turning on IAP.

Configure the OAuth consent screen

  1. In the Google Cloud console, go to theOAuth consent screen.

    Go to OAuth consent screen

  2. Select one of the following user types for your app:

    • External: Any user with a Google Account can make authorizationrequests. For the purpose of completing this tutorial, we recommendselectingExternal.

    • Internal: Only members of your Google Cloud organization can makeauthorization requests to the app.

  3. ClickCreate.

  4. In theAuthorized domains section,Add domain, and specify the domain name used during certificate creation.

  5. In theDeveloper contact information section, enter your email address.

  6. ClickSave and Continue.

  7. On theScopes page, clickSave and Continue.

  8. Optional: If you selectedExternal as the user type, add test users on theTest users page, as follows:

    1. ClickAdd users.

    2. Enter your email address and any other authorized test users, and then clickSave and continue.

  9. Review your app registration summary. To make changes, clickEdit. If the app registration looks OK, clickBack to dashboard.

Create OAuth access credentials

  1. In the Google Cloud console, go to theCredentials.

    Go to Credentials

  2. ClickCreate credentials and then clickOAuth client ID.

  3. In theApplication type list, clickWeb application.

  4. In theName field, entergemini-streamlit-app.

  5. In theAuthorized JavaScript origins section, clickAdd URI and thenenter the following URI:

    https://DOMAIN_NAME

    ReplaceDOMAIN_NAME with the domain name used during certificate creation.

  6. ClickCreate.

    TheOauth client created screen appears, displaying theClient ID andClient secret.

  7. Copy theClient ID andClient secret. You'll need details in the next step of the tutorial.

Enable IAP on the load balancer

  1. In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  2. In the Cloud Shell terminal, run the following command:
          gcloud compute backend-services update gemini-streamlit-app-backend \      --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET \      --global

    Replace the following

    • CLIENT_ID: The OAuth client ID from the OAuth credentials that you just created.
    • CLIENT_SECRET: The OAuth client secret from the OAuth credentials that you just created.

Set up and use IAP

Caution: When IAP is turned off, a resource is accessible to anyone with the URL.Ensure that IAP is turned on, so that the resource is accessible only by theconfigured principals.

  1. Go to theIdentity-Aware Proxy page.

    Go to the Identity-Aware Proxy page

  2. Select your project.

  3. Select the checkbox next togemini-streamlit-app-backend.

  4. ClickAdd principal.

  5. Enter the details in the following fields:

    • New principals: Enter the email addresses of groups or individuals togrant them access to your app. Any of the following can be a principal:

      • Google Account

      • Google Group

      • Service account

      • Google Workspace domain

      Ensure that you include a Google Account that you have access to.

  6. In theRole list, selectCloud IAP >IAP-secured Web App User.

  7. ClickSave.

  8. On theIdentity-Aware Proxy page, underApplications, clicktheIAP toggle to the on position in the row correspondingto thegemini-streamlit-app-backend resource.

  9. In theTurn on IAP window that appears, select the checkbox to acknowledge that you've read the configuration requirements and configured your backend accordingly.

  10. ClickTurn on. After you turn onIAP, it requires login credentials for all connections to your load balancer.Only accounts with theIAP-Secured Web App User role on the project are grantedgiven access.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.