Also read - IAP equivalent on Azure? and Service Controls and IAM - a 2 minute Security Solution on GCP 

IAP is a combination of Identity (Access Management) and Networking Controls to provide granular access to applications.

Example use case 1 - Instead of using my app's native authentication, I would like to let in app users using their native GCP identity (cloud IAM identity).

Example use case 2 - WITHOUT RELYING on A VPN, I want INTERNAL (network) employees (identity) to access an application but want to deny EXTERNAL (network) workers (contractors) from accessing the same app.

Is it only for Compute Engine?

No. App Engine, Cloud Run and even on premises data center resources - can all use the IAP on GCP.

How do I enable IAP for a resource or a project?

IAP can be enabled on project wide basis through the console. Any apps deployed on App Engine will automatically be retrieved when you want to associate IAP with an app.

Pre Requisites - OAuth Consent Screen

If you haven't configured your project's OAuth consent screen, you need to do so. An email address and product name are required for the OAuth consent screen.

  1. Go to the OAuth consent screen.
    Configure consent screen
  2. Under Support email, select the email address you want to display as a public contact. This email address must be your email address, or a Google Group you own.
  3. Enter the Application name you want to display.
  4. Add any optional details you'd like.
  5. Click Save.

Where does the Identity Piece fit in? How do I configure it?

It's really simple. When you go into IAM, you should see the option to enable IAP. When you take this option - the console automatically retrieves whatever App Engine apps you may have, to let you select from a dropdown.

Once enabled for the app, you can 'Add Members'. That's it - now, any IAM member, can access this App Engine app, WITHOUT having a native login in the app!

Can I use it in conjunction with the GCP HTTPs load balancer?

Yes, Cloud IAP is integrated with the HTTPs load balancer.

How does the networking part work for an IAP protected resource?

The key to realize is that IAP works because a restricted set of source IP addresses is allowed in (the proxy IPs) through new firewall rules - and the default Firewall rules are all deleted.

  1. Go to the Cloud Console VPC network > Firewall rules.
    GO TO THE FIREWALL RULES PAGE
  2. Select the checkbox next to the following rules:
    • default-allow-http
    • default-allow-https
    • default-allow-internal
  3. Click Delete.
  4. Click Create firewall rule and set the following values:
    • Name: allow-iap-traffic
    • Targets: All instances in the network
    • Source IP ranges (press Enter after you paste each value in the box):
      • 130.211.0.0/22
      • 35.191.0.0/16
    • Protocols and ports:
      • Specified protocols and ports
      • tcp:80

What about Summary

IAP is a great alternative to building your own authentication scheme for your app. IAP works with signed headers or the App Engine standard environment.