Menggunakan kebijakan otorisasi untuk mendelegasikan otorisasi ke IAP dan IAM
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Halaman ini menjelaskan cara menggunakan kebijakan otorisasi untuk menetapkan
Identity-Aware Proxy (IAP) sebagai mesin otorisasi kustom dalam
kebijakan otorisasi untuk Load Balancer Aplikasi.
Untuk mendelegasikan otorisasi ke IAP dan
Identity and Access Management (IAM), Anda mengizinkan traffic ke aturan penerusan berdasarkan
IAM atau identitas pengguna akhir untuk load balancer terkelola. Hal ini memungkinkan
Anda menerapkan kontrol akses berbasis IAP untuk layanan backend.
Anda dapat menggunakan IAP API untuk menerapkan izin IAM ke setiap resource dalam project yang diamankan IAP.
Izin IAM yang diberikan pada tingkat tertentu berlaku untuk semua tingkat di bawahnya. Misalnya, izin yang diberikan di tingkat project berlaku untuk semua Google Cloud resource dalam project.
Berikut adalah beberapa contoh perintah untuk mengonfigurasi izin. Untuk mengetahui
informasi selengkapnya, lihat gcloud alpha iap web set-iam-policy.
gcloud
Dalam contoh perintah, ganti POLICY_FILE dengan jalur ke file berformat YAML yang berisi kebijakan yang valid. Berikut adalah contoh file
YAML:
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-18 UTC."],[],[],null,["# Use authorization policies to delegate authorization to IAP and IAM\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page describes how to use authorization policies to designate\nIdentity-Aware Proxy (IAP) as the custom authorization engine in an\nauthorization policy for Application Load Balancers.\n\nTo delegate authorization to IAP and\nIdentity and Access Management (IAM), you authorize traffic to a forwarding rule based on\nIAM or end-user identities for managed load balancers. This lets\nyou enforce IAP-based access control for your backend services.\n\nBefore you begin\n----------------\n\n- Understand [authorization policies](/load-balancing/docs/auth-policy/auth-policy-overview) concepts.\n- Ensure that the backend services of the forwarding rules don't have IAP enabled. If IAP is enabled, you receive an error when submitting your configuration.\n- [Enable the Network Services API](/endpoints/docs/openapi/enable-api#enabling_an_api).\n\nCreate the authorization policy and enable IAP\n----------------------------------------------\n\nTo create an authorization policy, you create a policy file that defines the\ntarget and rules, and then enable IAP on the forwarding rule. \n\n### gcloud\n\n1. Run the following command to prepare a `policy.yaml` file.\n\n $ cat \u003c\u003c EOF \u003e policy.yaml\n action: CUSTOM\n description: authz policy with Cloud IAP\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eAUTHZ_POLICY_NAME\u003c/span\u003e\u003c/var\u003e\n customProvider:\n cloudIap: {}\n target:\n loadBalancingScheme: EXTERNAL_MANAGED\n resources:\n - https://www.googleapis.com/compute/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/regions/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/forwardingRules/\u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e\n EOF\n\n1. Run the following command to enable IAP on a forwarding rule.\n\n```\ngcloud beta network-security authz-policies import AUTHZ_POLICY_NAME \\\n--source=policy.yaml \\\n--location=LOCATION \\\n--project=PROJECT_ID\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The region that the resource is located in.\n- \u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e: The ID of the forwarding rule resource.\n- \u003cvar translate=\"no\"\u003eAUTHZ_POLICY_NAME\u003c/var\u003e: The name of the authorization policy.\n\n### API\n\n1. Run the following command to prepare a `policy.json` file. \n\n ```\n cat \u003c\u003c EOF \u003e policy.json\n {\n \"name\": \"AUTHZ_POLICY_NAME\",\n \"target\": {\n \"loadBalancingScheme\": \"INTERNAL_MANAGED\",\n \"resources\": [\n \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID\"\n ],\n },\n \"action\": \"CUSTOM\",\n \"httpRules\": [],\n \"customProvider\": {\n \"cloudIap\": {}\n }\n }\n EOF\n ```\n2. Run the following command to enable IAP on a forwarding rule.\n\n ```\n curl -X PATCH \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Accept: application/json\" \\\n -H \"Content-Type: application/json\" \\\n -d @policy.json \\\n \"https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/authzPolicies\"\n ```\n\n \u003cbr /\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The region that the resource is located in.\n - \u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e: The ID of the forwarding rule resource.\n - \u003cvar translate=\"no\"\u003eAUTHZ_POLICY_NAME\u003c/var\u003e: The name of the authorization policy.\n\n### Apply permissions to resources\n\nYou can use the IAP API to apply IAM\npermissions to individual resources in an IAP-secured project.\nIAM permissions granted at a certain level apply to all of the\nlevels underneath it. For example, a permission granted at the project level\napplies to all of the Google Cloud resources in the project.\n\nFollowing are some example commands for configuring permissions. For more\ninformation, see [`gcloud alpha iap web set-iam-policy`](/sdk/gcloud/reference/iam/policies/get). \n\n### gcloud\n\nIn the example commands, replace \u003cvar translate=\"no\"\u003ePOLICY_FILE\u003c/var\u003e with the path to a YAML\nformatted file that contains a valid policy. Following is an example YAML\nfile: \n\n bindings:\n members: user:example@example.com\n role: roles/iap.httpsResourceAccessor\n\n#### Update the permission for who can access the forwarding rule resource\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE [--organization=ORGANIZATION \\\n--folder=FOLDER --project=/PROJECT_ID \\\n--resource-type=RESOURCE_TYPE --service=SERVICE]\n```\n\n#### Configure permission at the organization level\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --organization=ORGANIZATION\n```\n\n#### Configure permission at the folder level\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --folder=FOLDER\n```\n\n#### Configure permission at the project level\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=iap_web\n```\n\n#### Configure permission for all global forwarding rules in a project\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID --resource-type=forwarding_rule\n```\n\n#### Configure permission for all forwarding rules in a project in a region\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \\\n--resource-type=forwarding_rule --region=REGION\n```\n\n#### Configure permission for a specific global forwarding rule in a project\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \\\n--resource-type=forwarding_rule --service=SERVICE\n```\n\n#### Configure permission for a specific forwarding rule in a project in a region\n\n```\ngcloud alpha iap web set-iam-policy POLICY_FILE --project=PROJECT_ID \\\n--resource-type=forwarding_rule --service=SERVICE --region=REGION\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_FILE\u003c/var\u003e: The path to a YAML file that contains a valid policy.\n- \u003cvar translate=\"no\"\u003eORGANIZATION\u003c/var\u003e: The ID of your organization.\n- \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e: The folder that contains your application.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eRESOURCE_TYPE\u003c/var\u003e: The IAP resource type. The resource type must be `app-engine`, `iap_web`, `compute`, `organization`, or `folder`.\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e: The forwarding rule ID or name.\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: The region that the resource is located in.\n\n### API\n\n#### Configure permission at the organization level\n\n```\norganization/ORGANIZATION\n```\n\n#### Configure permission at the folder level\n\n```\nfolders/FOLDER\n```\n\n#### Configure permission at the project level\n\n```\nprojects/PROJECT_ID\n```\n\n#### Configure permission for all global forwarding rules in a project\n\n```\nprojects/PROJECT_ID/forwarding_rule\n```\n\n#### Configure permission for all forwarding rules in a project in a region\n\n```\nprojects/PROJECT_ID/iap_web/forwarding_rule-REGION\n```\n\n#### Configure permission for a specific global forwarding rule in a project\n\n```\nprojects/PROJECT_ID/iap_web/forwarding_rule/services/SERVICE\n```\n\n#### Configure permission for a specific forwarding rule in a project in a region\n\n```\nprojects/PROJECT_ID/iap_web/forwarding_rule-REGION/services/SERVICE\n```\n\n#### Set the authorization policy\n\n```\ncurl -X PATCH \\\n-H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n-H \"Accept: application/json\" \\\n-H \"Content-Type: application/json\" \\\n-d @policy.json \\\n\"https://iap.googleapis.com/v1/RESOURCE_NAME:setIamPolicy\"\n```\n\nFor `policy.json`, you can create the JSON file by running the following\ncommand. Update the values as needed. \n\n```\ncat \u003c\u003c EOF \u003e policy.json\n{\n \"bindings\": {\n \"members\": \"user:example@example.com\",\n \"role\": \"roles/iap.httpsResourceAccessor\",\n }\n}\nEOF\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION\u003c/var\u003e: The ID of your organization.\n- \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e: The folder that contains your application.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: The region that the resource is located in.\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e: The forwarding rule ID or name."]]
