Use authorization policies to delegate authorization to IAP and IAM
Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to use authorization policies to designate
Identity-Aware Proxy (IAP) as the custom authorization engine in an
authorization policy for Application Load Balancers.
To delegate authorization to IAP and
Identity and Access Management (IAM), you authorize traffic to a forwarding rule based on
IAM or end-user identities for managed load balancers. This lets
you enforce IAP-based access control for your backend services.
Ensure that the backend services of the
forwarding rules don't have IAP enabled.
If IAP is enabled, you receive an error when submitting your
configuration.
LOCATION: The region that the resource is located in.
FORWARDING_RULE_ID: The ID of the forwarding rule resource.
AUTHZ_POLICY_NAME: The name of the authorization policy.
Apply permissions to resources
You can use the IAP API to apply IAM
permissions to individual resources in an IAP-secured project.
IAM permissions granted at a certain level apply to all of the
levels underneath it. For example, a permission granted at the project level
applies to all of the Google Cloud resources in the project.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Use authorization policies to delegate authorization to IAP and IAM\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes how to use authorization policies to designate\nIdentity-Aware Proxy (IAP) as the custom authorization engine in an\nauthorization policy for Application Load Balancers.\n\nTo delegate authorization to IAP and\nIdentity and Access Management (IAM), you authorize traffic to a forwarding rule based on\nIAM or end-user identities for managed load balancers. This lets\nyou enforce IAP-based access control for your backend services.\n\nBefore you begin\n----------------\n\n- Understand [authorization policies](/load-balancing/docs/auth-policy/auth-policy-overview) concepts.\n- Ensure that the backend services of the forwarding rules don't have IAP enabled. If IAP is enabled, you receive an error when submitting your configuration.\n- [Enable the Network Services API](/endpoints/docs/openapi/enable-api#enabling_an_api).\n\nCreate the authorization policy and enable IAP\n----------------------------------------------\n\nTo create an authorization policy, you create a policy file that defines the\ntarget and rules, and then enable IAP on the forwarding rule. \n\n### gcloud\n\n1. Run the following command to prepare a `policy.yaml` file.\n\n $ cat \u003c\u003c EOF \u003e policy.yaml\n action: CUSTOM\n description: authz policy with Cloud IAP\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eAUTHZ_POLICY_NAME\u003c/span\u003e\u003c/var\u003e\n customProvider:\n cloudIap: {}\n target:\n loadBalancingScheme: EXTERNAL_MANAGED\n resources:\n - https://www.googleapis.com/compute/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/regions/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/forwardingRules/\u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e\n EOF\n\n1. Run the following command to enable IAP on a forwarding rule.\n\n```\ngcloud beta network-security authz-policies import AUTHZ_POLICY_NAME \\\n--source=policy.yaml \\\n--location=LOCATION \\\n--project=PROJECT_ID\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The region that the resource is located in.\n- \u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e: The ID of the forwarding rule resource.\n- \u003cvar translate=\"no\"\u003eAUTHZ_POLICY_NAME\u003c/var\u003e: The name of the authorization policy.\n\n### API\n\n1. Run the following command to prepare a `policy.json` file. \n\n ```\n cat \u003c\u003c EOF \u003e policy.json\n {\n \"name\": \"AUTHZ_POLICY_NAME\",\n \"target\": {\n \"loadBalancingScheme\": \"INTERNAL_MANAGED\",\n \"resources\": [\n \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID\"\n ],\n },\n \"action\": \"CUSTOM\",\n \"httpRules\": [],\n \"customProvider\": {\n \"cloudIap\": {}\n }\n }\n EOF\n ```\n2. Run the following command to enable IAP on a forwarding rule.\n\n ```\n curl -X PATCH \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Accept: application/json\" \\\n -H \"Content-Type: application/json\" \\\n -d @policy.json \\\n \"https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/authzPolicies\"\n ```\n\n \u003cbr /\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The region that the resource is located in.\n - \u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e: The ID of the forwarding rule resource.\n - \u003cvar translate=\"no\"\u003eAUTHZ_POLICY_NAME\u003c/var\u003e: The name of the authorization policy.\n\n### Apply permissions to resources\n\nYou can use the IAP API to apply IAM\npermissions to individual resources in an IAP-secured project.\nIAM permissions granted at a certain level apply to all of the\nlevels underneath it. For example, a permission granted at the project level\napplies to all of the Google Cloud resources in the project.\n\nFollowing are some example commands for configuring permissions. For more\ninformation, see [`gcloud alpha iap web set-iam-policy`](/sdk/gcloud/reference/iam/policies/get). \n\n### gcloud\n\nIn the example commands, replace \u003cvar translate=\"no\"\u003ePOLICY_FILE\u003c/var\u003e with the path to a YAML\nformatted file that contains a valid policy. Following is an example YAML\nfile: \n\n bindings:\n members: user:example@example.com\n role: roles/iap.httpsResourceAccessor\n\n#### Update the permission for who can access the forwarding rule resource\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE [--organization=ORGANIZATION \\\n--folder=FOLDER --project=/PROJECT_ID \\\n--resource-type=RESOURCE_TYPE --service=SERVICE]\n```\n\n#### Configure permission at the organization level\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --organization=ORGANIZATION\n```\n\n#### Configure permission at the folder level\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --folder=FOLDER\n```\n\n#### Configure permission at the project level\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=iap_web\n```\n\n#### Configure permission for all global forwarding rules in a project\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=forwarding_rule\n```\n\n#### Configure permission for all forwarding rules in a project in a region\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \\\n--resource-type=forwarding_rule --region=REGION\n```\n\n#### Configure permission for a specific global forwarding rule in a project\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \\\n--resource-type=forwarding_rule --service=SERVICE\n```\n\n#### Configure permission for a specific forwarding rule in a project in a region\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \\\n--resource-type=forwarding_rule --service=SERVICE --region=REGION\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_FILE\u003c/var\u003e: The path to a YAML file that contains a valid policy.\n- \u003cvar translate=\"no\"\u003eORGANIZATION\u003c/var\u003e: The ID of your organization.\n- \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e: The folder that contains your application.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eRESOURCE_TYPE\u003c/var\u003e: The IAP resource type. The resource type must be `app-engine`, `iap_web`, `compute`, `organization`, or `folder`.\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e: The forwarding rule ID or name.\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: The region that the resource is located in.\n\n### API\n\n#### Configure permission at the organization level\n\n```\norganization/ORGANIZATION\n```\n\n#### Configure permission at the folder level\n\n```\nfolders/FOLDER\n```\n\n#### Configure permission at the project level\n\n```\nprojects/PROJECT_ID\n```\n\n#### Configure permission for all global forwarding rules in a project\n\n```\nprojects/PROJECT_ID/forwarding_rule\n```\n\n#### Configure permission for all forwarding rules in a project in a region\n\n```\nprojects/PROJECT_ID/iap_web/forwarding_rule-REGION\n```\n\n#### Configure permission for a specific global forwarding rule in a project\n\n```\nprojects/PROJECT_ID/iap_web/forwarding_rule/services/SERVICE\n```\n\n#### Configure permission for a specific forwarding rule in a project in a region\n\n```\nprojects/PROJECT_ID/iap_web/forwarding_rule-REGION/services/SERVICE\n```\n\n#### Set the authorization policy\n\n```\ncurl -X PATCH \\\n-H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n-H \"Accept: application/json\" \\\n-H \"Content-Type: application/json\" \\\n-d @policy.json \\\n\"https://iap.googleapis.com/v1/RESOURCE_NAME:setIamPolicy\"\n```\n\nFor `policy.json`, you can create the JSON file by running the following\ncommand. Update the values as needed. \n\n```\ncat \u003c\u003c EOF \u003e policy.json\n{\n \"bindings\": {\n \"members\": \"user:example@example.com\",\n \"role\": \"roles/iap.httpsResourceAccessor\",\n }\n}\nEOF\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION\u003c/var\u003e: The ID of your organization.\n- \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e: The folder that contains your application.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: The region that the resource is located in.\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e: The forwarding rule ID or name."]]
