IAPSettings
Property | Value |
---|---|
Google Cloud Service Name | Identity-Aware Proxy |
Google Cloud Service Documentation | /iap/docs/ |
Google Cloud REST Resource Documentation | /iap/docs/reference/rest/v1/IapSettings |
Config Connector Resource Short Names | IAPSettings gcpiapsettings iapsettings |
Config Connector Service Name | iap.googleapis.com |
Config Connector Resource Fully Qualified Name | iapsettings.iap.cnrm.cloud.google.com |
Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
accessSettings:
allowedDomainsSettings:
domains:
- string
enable: boolean
corsSettings:
allowHTTPOptions: boolean
gcipSettings:
loginPageURI: string
tenantIDs:
- string
oauthSettings:
loginHint: string
programmaticClients:
- string
reauthSettings:
maxAge: string
method: string
policyType: string
appEngineRef:
applicationRef:
external: string
projectRef:
external: string
kind: string
name: string
namespace: string
serviceRef:
external: string
versionRef:
external: string
applicationSettings:
accessDeniedPageSettings:
accessDeniedPageURI: string
generateTroubleshootingURI: boolean
remediationTokenGenerationEnabled: boolean
attributePropagationSettings:
enable: boolean
expression: string
outputCredentials:
- string
cookieDomain: string
csmSettings:
rctokenAud: string
computeServiceRef:
projectRef:
external: string
kind: string
name: string
namespace: string
region: string
serviceRef:
external: string
name: string
namespace: string
folderRef:
external: string
name: string
namespace: string
organizationRef:
external: string
projectRef:
external: string
kind: string
name: string
namespace: string
projectWebRef:
projectRef:
external: string
kind: string
name: string
namespace: string
resourceID: string
Fields | |
---|---|
Optional |
Top level wrapper for all access related setting in IAP |
Optional |
Settings to configure and enable allowed domains. |
Optional |
List of trusted domains. |
Optional |
|
Optional |
Configuration for customers to opt in for the feature. |
Optional |
Configuration to allow cross-origin requests via IAP. |
Optional |
Configuration to allow HTTP OPTIONS calls to skip authorization. If undefined, IAP will not apply any special logic to OPTIONS requests. |
Optional |
GCIP claims and endpoint configurations for 3p identity providers. |
Optional |
Login page URI associated with the GCIP tenants. Typically, all resources within the same project share the same login page, though it could be overridden at the sub resource level. |
Optional |
GCIP tenant ids that are linked to the IAP resource. tenant_ids could be a string beginning with a number character to indicate authenticating with GCIP tenant flow, or in the format of _ |
Optional |
|
Optional |
Settings to configure IAP's OAuth behavior. |
Optional |
Domain hint to send as hd=? parameter in OAuth request flow. Enables redirect to primary IDP by skipping Google's login screen. https://developers.google.com/identity/protocols/OpenIDConnect#hd-param Note: IAP does not verify that the id token's hd claim matches this value since access behavior is managed by IAM policies. |
Optional |
List of OAuth client IDs allowed to programmatically authenticate with IAP. |
Optional |
|
Optional |
Settings to configure reauthentication policies in IAP. |
Optional |
Reauth session lifetime, how long before a user has to reauthenticate again. |
Optional |
Reauth method requested. |
Optional |
How IAP determines the effective policy in cases of hierarchical policies. Policies are merged from higher in the hierarchy to lower in the hierarchy. |
Optional |
Project-wide App Engine service settings |
Required* |
|
Optional |
Format: projects/{projects_id}/iap_web/appengine-{app_id} |
Required* |
The Project that this resource belongs to. |
Optional |
The `projectID` field of a project, when not managed by Config Connector. |
Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
Optional |
The `name` field of a `Project` resource. |
Optional |
The `namespace` field of a `Project` resource. |
Optional |
Optional. If specified, settings apply to the service |
Optional |
Format: projects/{projects_id}/iap_web/appengine-{app_id}/service/{service_id} |
Optional |
Optional. If specified, settings apply to the version |
Optional |
Format: projects/{projects_id}/iap_web/appengine-{app_id}/service/{service_id}/version/{version_id} |
Optional |
Top level wrapper for all application related settings in IAP |
Optional |
Customization for Access Denied page. |
Optional |
The URI to be redirected to when access is denied. |
Optional |
Whether to generate a troubleshooting URL on access denied events to this application. |
Optional |
Whether to generate remediation token on access denied events to this application. |
Optional |
Settings to configure attribute propagation. |
Optional |
Whether the provided attribute propagation settings should be evaluated on user requests. If set to true, attributes returned from the expression will be propagated in the set output credentials. |
Optional |
Raw string CEL expression. Must return a list of attributes. A maximum of
45 attributes can be selected. Expressions can select different attribute
types from `attributes`: `attributes.saml_attributes`,
`attributes.iap_attributes`. The following functions are supported:
- filter ` |
Optional |
Which output credentials attributes selected by the CEL expression should be propagated in. All attributes will be fully duplicated in each selected output credential. |
Optional |
|
Optional |
The Domain value to set for cookies generated by IAP. This value is not validated by the API, but will be ignored at runtime if invalid. |
Optional |
Settings to configure IAP's behavior for a service mesh. |
Optional |
Audience claim set in the generated RCToken. This value is not validated by IAP. |
Optional |
Project-wide Compute service settings |
Required* |
The Project that this resource belongs to. |
Optional |
The `projectID` field of a project, when not managed by Config Connector. |
Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
Optional |
The `name` field of a `Project` resource. |
Optional |
The `namespace` field of a `Project` resource. |
Optional |
Optional. If specified, settings apply to the region |
Optional |
Optional. If specified, settings apply to the service |
Optional |
The value of an externally managed ComputeBackendService resource. |
Optional |
The name of a ComputeBackendService resource. |
Optional |
The namespace of a ComputeBackendService resource. |
Optional |
Folder-level settings |
Optional |
The 'name' field of a folder, when not managed by Config Connector. This field must be set when 'name' field is not set. |
Optional |
The 'name' field of a 'Folder' resource. This field must be set when 'external' field is not set. |
Optional |
The 'namespace' field of a 'Folder' resource. If unset, the namespace is defaulted to the namespace of the referencer resource. |
Optional |
Organization-level settings |
Required* |
The 'name' field of an organization, when not managed by Config Connector. |
Optional |
Project-level settings |
Optional |
The `projectID` field of a project, when not managed by Config Connector. |
Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
Optional |
The `name` field of a `Project` resource. |
Optional |
The `namespace` field of a `Project` resource. |
Optional |
Project-wide web service settings |
Required* |
The Project that this resource belongs to. |
Optional |
The `projectID` field of a project, when not managed by Config Connector. |
Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
Optional |
The `name` field of a `Project` resource. |
Optional |
The `namespace` field of a `Project` resource. |
Optional |
The IAPSettings name. |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
externalRef: string
observedGeneration: integer
Fields | |
---|---|
conditions |
Conditions represent the latest available observations of the object's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
externalRef |
A unique specifier for the IAPSettings resource in GCP. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
Sample YAML(s)
Projectiapsettings
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iap.cnrm.cloud.google.com/v1beta1
kind: IAPSettings
metadata:
name: iapsettings-sample-project
spec:
projectRef:
# Replace ${PROJECT_ID?} with your project ID
external: projects/${PROJECT_ID?}
accessSettings:
corsSettings:
allowHTTPOptions: true
reauthSettings:
method: LOGIN
maxAge: 300s
policyType: DEFAULT
applicationSettings:
cookieDomain: .example.com
Regionalbackendserviceiapsettings
# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: iap.cnrm.cloud.google.com/v1beta1
kind: IAPSettings
metadata:
name: iapsettings-sample-backendservice
spec:
computeServiceRef:
projectRef:
# Replace ${PROJECT_ID?} with your project ID
external: projects/${PROJECT_ID?}
region: us-central1
serviceRef:
name: iapsettings-dep-backendservice
accessSettings:
corsSettings:
allowHTTPOptions: true
reauthSettings:
method: SECURE_KEY
maxAge: 305s
policyType: MINIMUM
applicationSettings:
cookieDomain: test.com
---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeBackendService
metadata:
name: iapsettings-dep-backendservice
spec:
healthChecks:
- healthCheckRef:
name: iapsettings-dep-backendservice
location: us-central1
connectionDrainingTimeoutSec: 10
sessionAffinity: CLIENT_IP
---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeHealthCheck
metadata:
name: iapsettings-dep-backendservice
spec:
checkIntervalSec: 10
timeoutSec: 10
httpHealthCheck:
port: 80
location: us-central1