Configuring Identity-Aware Proxy with Google IAP

What Is This

Configuring Identity-Aware Proxy (IAP) with Google Cloud enables organizations to enforce per-request identity verification and access control for their cloud workloads. Google Cloud IAP acts as a gatekeeper in front of your web applications and services running in Compute Engine, App Engine, Cloud Run, or Google Kubernetes Engine (GKE). By deploying IAP, all incoming requests are authenticated and authorized based on granular identity, device, and context-aware policies before they ever reach your application layer.

This skill focuses on setting up Google Cloud Identity-Aware Proxy to protect applications, enforce Zero Trust security principles, and enable context-aware access using Google Cloud’s Access Context Manager. It also covers enabling programmatic access to IAP-protected resources via service accounts.

Why Use It

Cloud-native applications frequently require robust control over access to sensitive internal resources, especially as traditional network perimeters dissolve with remote work and cloud migration. IAP introduces a Zero Trust approach by shifting access decisions to per-request checks based on user identity and device context, regardless of network location.

Key benefits include:

• Eliminates the need for VPNs: Users access protected apps securely over the internet without exposing services to the public or requiring VPN tunnels.
• Centralized access control: Manage who can access your resources using Google Workspace groups, Cloud Identity, or service accounts.
• Context-aware access: Enforce access policies based on device posture, location, and user attributes using Access Context Manager.
• Per-request authorization: Every request is authenticated and authorized, minimizing the attack surface.
• Seamless integration: Works natively with Google Cloud’s Compute Engine, App Engine, Cloud Run, and GKE with minimal changes to application code.

How to Use It

This section outlines the steps to configure Identity-Aware Proxy with Google IAP, enforce access policies, and enable secure application access.

1. Prerequisites

• A Google Cloud project with billing enabled.
• The IAP API enabled:
  bash

  gcloud services enable iap.googleapis.com

• Applications deployed on App Engine, Cloud Run, GKE (with HTTP(S) load balancer), or Compute Engine (behind HTTP(S) load balancer).
• Proper IAM permissions to configure IAP.

2. Enable IAP on Your

Resource

For example, to enable IAP for an App Engine application:

1. Navigate to Security > Identity-Aware Proxy in the Google Cloud Console.
2. Select your project and resource (e.g., App Engine app).
3. Click the toggle to turn on IAP protection.

Alternatively, use the gcloud CLI:

gcloud iap web enable --resource-type=app-engine --project=YOUR_PROJECT_ID

For Compute Engine or GKE, ensure the service is behind an HTTPS load balancer with a global external IP.

3. Configure Access

Policies

Access to IAP-protected resources is managed via IAM roles:

• roles/iap.httpsResourceAccessor: Grants access to IAP-secured resources.
• roles/iap.tunnelResourceAccessor: Grants access to TCP resources protected by IAP.

Assign these roles to users, groups, or service accounts:

gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="user:alice@example.com" \
  --role="roles/iap.httpsResourceAccessor"

4. Enforce Context-Aware

Access

To require device or location-based controls, use Access Context Manager:

1. Define an access level:
   bash

   gcloud access-context-manager levels create device_policy_level \
     --title="Require Corp Device" \
     --basic-level-spec="conditions.devicePolicy.requireScreenlock=true"

2. Attach the access level to a policy:
   bash

   gcloud access-context-manager policies list
   # Use the policy ID from above
   gcloud access-context-manager policies add-access-levels POLICY_ID \
     --access-levels=device_policy_level

3. Apply the access level to IAP via the Cloud Console under Security > Context-Aware Access.

5. Enable Programmatic Access with Service

Accounts

To allow applications (such as CI/CD systems or monitoring agents) to access IAP-protected endpoints, configure OAuth2 authentication using a service account with the iap.httpsResourceAccessor role.

Example: Obtain an IAP-signed JWT to access a protected HTTP resource:

from google.auth.transport.requests import Request
from google.oauth2 import service_account
import requests

service_account_info = { ... }  # Service account JSON
credentials = service_account.IDTokenCredentials.from_service_account_info(
    service_account_info,
    target_audience='https://YOUR_APP_URL'
)

credentials.refresh(Request())
response = requests.get(
    'https://YOUR_APP_URL',
    headers={'Authorization': f'Bearer {credentials.token}'}
)
print(response.text)

When to Use It

• Protect web applications or internal tools deployed on Google Cloud (App Engine, Cloud Run, GKE, Compute Engine) that require identity-based access.
• Implement context-aware access policies that enforce device, user, or location attributes.
• Replace legacy VPN solutions and avoid exposing internal resources to the public internet.
• Require per-request authentication and authorization for sensitive endpoints.
• Allow programmatic, secure access for automation or integration with trusted service accounts.

Important Notes

• IAP only protects traffic routed through Google’s HTTPS load balancer. Non-HTTP applications, or those not behind a supported load balancer, cannot use IAP.
• Applications that require public, unauthenticated access should not be placed behind IAP.
• Ensure existing authentication flows do not conflict with IAP, as double-authentication can disrupt user experience.
• For TCP resources, use IAP TCP forwarding, which requires additional client setup.
• Regularly review IAM policies and Access Context Manager rules to prevent over-provisioned access.
• Logging and monitoring of IAP events can be enabled for auditing and compliance.

Configuring Identity-Aware Proxy with Google IAP is a foundational step toward Zero Trust architecture on Google Cloud, offering robust security and granular access control for modern cloud applications.