Use authorization policies to delegate authorization to IAP and IAM

This page describes how to use authorization policies to designate Identity-Aware Proxy (IAP) as the custom authorization engine in an authorization policy for Application Load Balancers.

To delegate authorization to IAP and Identity and Access Management (IAM), you authorize traffic to a forwarding rule based on IAM or end-user identities for managed load balancers. This lets you enforce IAP-based access control for your backend services.

Before you begin

Understand authorization policies concepts.
Ensure that the backend services of the forwarding rules don't have IAP enabled. If IAP is enabled, you receive an error when submitting your configuration.
Enable the Network Services API.

Create the authorization policy and enable IAP

To create an authorization policy, you create a policy file that defines the target and rules, and then enable IAP on the forwarding rule.

gcloud

Run the following command to prepare a policy.yaml file.

$ cat << EOF > policy.yaml
action: CUSTOM
description: authz policy with Cloud IAP
name: AUTHZ_POLICY_NAME
customProvider:
  cloudIap: {}
target:
  loadBalancingScheme: EXTERNAL_MANAGED
  resources:
  - https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID
EOF

Run the following command to enable IAP on a forwarding rule.

gcloud beta network-security authz-policies import AUTHZ_POLICY_NAME \
--source=policy.yaml \
--location=LOCATION \
--project=PROJECT_ID

Replace the following:

PROJECT_ID: The Google Cloud project ID.
LOCATION: The region that the resource is located in.
FORWARDING_RULE_ID: The ID of the forwarding rule resource.
AUTHZ_POLICY_NAME: The name of the authorization policy.

API

Run the following command to prepare a policy.json file.

cat << EOF > policy.json
{
"name": "AUTHZ_POLICY_NAME",
"target": {
"loadBalancingScheme": "INTERNAL_MANAGED",
"resources": [
"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID"
],
},
"action": "CUSTOM",
"httpRules": [],
"customProvider": {
"cloudIap": {}
}
}
EOF

Run the following command to enable IAP on a forwarding rule.
```
curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @policy.json \
"https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/authzPolicies"
```
Replace the following:
- PROJECT_ID: The Google Cloud project ID.
- LOCATION: The region that the resource is located in.
- FORWARDING_RULE_ID: The ID of the forwarding rule resource.
- AUTHZ_POLICY_NAME: The name of the authorization policy.

Apply permissions to resources

You can use the IAP API to apply IAM permissions to individual resources in an IAP-secured project. IAM permissions granted at a certain level apply to all of the levels underneath it. For example, a permission granted at the project level applies to all of the Google Cloud resources in the project.

Following are some example commands for configuring permissions. For more information, see gcloud alpha iap web set-iam-policy.

gcloud

In the example commands, replace POLICY_FILE with the path to a YAML formatted file that contains a valid policy. Following is an example YAML file:

bindings:
  members: user:example@example.com
  role: roles/iap.httpsResourceAccessor

Update the permission for who can access the forwarding rule resource

gcloud alpha iap web set-iam-policy POLICY_FILE [--organization=ORGANIZATION \
--folder=FOLDER --project=/PROJECT_ID \
--resource-type=RESOURCE_TYPE --service=SERVICE]

Configure permission at the organization level

gcloud alpha iap web set-iam-policy POLICY_FILE --organization=ORGANIZATION

Configure permission at the folder level

gcloud alpha iap web set-iam-policy POLICY_FILE --folder=FOLDER

Configure permission at the project level

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=iap_web

Configure permission for all global forwarding rules in a project

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=forwarding_rule

Configure permission for all forwarding rules in a project in a region

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \
--resource-type=forwarding_rule --region=REGION

Configure permission for a specific global forwarding rule in a project

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \
--resource-type=forwarding_rule --service=SERVICE

Configure permission for a specific forwarding rule in a project in a region

gcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \
--resource-type=forwarding_rule --service=SERVICE --region=REGION

Replace the following:

POLICY_FILE: The path to a YAML file that contains a valid policy.
ORGANIZATION: The ID of your organization.
FOLDER: The folder that contains your application.
PROJECT_ID: The Google Cloud project ID.
RESOURCE_TYPE: The IAP resource type. The resource type must be app-engine, iap_web, compute, organization, or folder.
SERVICE: The forwarding rule ID or name.
REGION: The region that the resource is located in.

API

Configure permission at the organization level

organization/ORGANIZATION

Configure permission at the folder level

folders/FOLDER

Configure permission at the project level

projects/PROJECT_ID

Configure permission for all global forwarding rules in a project

projects/PROJECT_ID/forwarding_rule

Configure permission for all forwarding rules in a project in a region

projects/PROJECT_ID/iap_web/forwarding_rule-REGION

Configure permission for a specific global forwarding rule in a project

projects/PROJECT_ID/iap_web/forwarding_rule/services/SERVICE

Configure permission for a specific forwarding rule in a project in a region

projects/PROJECT_ID/iap_web/forwarding_rule-REGION/services/SERVICE

Set the authorization policy

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @policy.json \
"https://iap.googleapis.com/v1/RESOURCE_NAME:setIamPolicy"

For policy.json, you can create the JSON file by running the following command. Update the values as needed.

cat << EOF > policy.json
{
  "bindings": {
     "members": "user:example@example.com",
     "role": "roles/iap.httpsResourceAccessor",
   }
}
EOF

Replace the following:

ORGANIZATION: The ID of your organization.
FOLDER: The folder that contains your application.
PROJECT_ID: The Google Cloud project ID.
REGION: The region that the resource is located in.
SERVICE: The forwarding rule ID or name.

Use authorization policies to delegate authorization to IAP and IAM Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Create the authorization policy and enable IAP

gcloud

API

Apply permissions to resources

gcloud

Update the permission for who can access the forwarding rule resource

Configure permission at the organization level

Configure permission at the folder level

Configure permission at the project level

Configure permission for all global forwarding rules in a project

Configure permission for all forwarding rules in a project in a region

Configure permission for a specific global forwarding rule in a project

Configure permission for a specific forwarding rule in a project in a region

API

Configure permission at the organization level

Configure permission at the folder level

Configure permission at the project level

Configure permission for all global forwarding rules in a project

Configure permission for all forwarding rules in a project in a region

Configure permission for a specific global forwarding rule in a project

Configure permission for a specific forwarding rule in a project in a region

Set the authorization policy

Use authorization policies to delegate authorization to IAP and IAM