IAP uses a Google-managed OAuth client to authenticate users.
Only users within the organization can access the IAP-enabled
application. If you want to allow access to users outside of your organization,
see Enable IAP for external applications.
You can enable IAP on a Compute Engine
backend service or on a
Compute Engine forwarding rule.
When you enable IAP on a Compute Engine backend service,
only that backend service is protected by IAP. When you enable
IAP on a Compute Engine forwarding rule, all of the
Compute Engine instances behind the forwarding rule are protected by
IAP.
Enable IAP on a forwarding rule
You can enable IAP on a forwarding rule by using the
load balancer authorization policies
framework.
gcloud
Run the following command to prepare a policy.yaml file.
$ cat << EOF > policy.yamlaction:CUSTOMdescription:authz policy with Cloud IAPname:AUTHZ_POLICY_NAMEcustomProvider:cloudIap:{}target:loadBalancingScheme:EXTERNAL_MANAGEDresources:-https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_IDEOF
Run the following command to enable IAP on a forwarding rule.
You can enable IAP on a Compute Engine backend service
through that backend service.
console
The Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.
If you haven't configured your project's OAuth consent screen, you'll be
prompted to do so. To configure your OAuth consent screen, see
Setting up your OAuth consent screen.
If you are running GKE clusters version 1.24 or later, you can configure
IAP and GKE by using the Kubernetes Gateway API. To do so, complete
the following steps and then follow the instructions in
Configure IAP.
Do not configure BackendConfig.
Select the checkbox next to the resource you want to grant access to.
If you don't see a resource, ensure that the resource is created and that
the BackendConfig Compute Engine ingress controller is synced.
To verify that the backend service is available, run the following
gcloud command:
gcloud compute backend-services list
On the right side panel, click Add principal.
In the Add principals dialog that appears, enter the email addresses of groups or
individuals who should have the IAP-secured Web App User role for the project.
The following kinds of principals can have this role:
Google Account: user@gmail.com
Google Group: admins@googlegroups.com
Service account: server@example.gserviceaccount.com
Google Workspace domain: example.com
Make sure to add a Google Account that you have access to.
Select Cloud IAP > IAP-secured Web App User from the Roles
drop-down list.
Click Save.
Turning on IAP
On the Identity-Aware Proxy page, under APPLICATIONS,
find the load balancer that serves the instance group you want to restrict
access to. To turn on IAP for a resource,
toggle the on/off switch in the IAP
column.
To enable IAP:
At least one protocol in the load balancer frontend
configuration must be HTTPS. Learn about setting up
a load balancer.
You need the compute.backendServices.update,
clientauthconfig.clients.create,
and clientauthconfig.clients.getWithSecret permissions. These permissions
are granted by roles, such as the Project Editor role. To learn more, see
Managing access to IAP-secured resources.
In the Turn on IAP window that appears, click Turn On to
confirm that you want IAP to secure your resource. After you turn on
IAP, it requires login credentials for all connections to your load balancer.
Only accounts with the IAP-Secured Web App User role on the project will be
given access.
gcloud
Before you set up your project and IAP, you need an up-to-date version of the
gcloud CLI. For instructions on how to install the gcloud CLI,
see Install the gcloud CLI.
To authenticate, use the Google Cloud CLI and run the following command.
gcloud auth login
To sign in, follow the URL that appears.
After you sign in, copy the verification code that appears and paste it in the command line.
Run the following command to specify the project that contains the resource that you want to protect with IAP.
gcloud config set project PROJECT_ID
To enable IAP, run either the globally or regionally scoped command.
After you enable IAP, you can use the gcloud CLI to modify
the IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
API
Run the following command to prepare a settings.json file.
After you enable IAP, you can use the Google Cloud CLI to modify the
IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-19 UTC."],[[["\u003cp\u003eThis guide outlines the process of securing Compute Engine instances using Identity-Aware Proxy (IAP), which involves enabling IAP on either a backend service or a forwarding rule.\u003c/p\u003e\n"],["\u003cp\u003eTo enable IAP, you'll need a Google Cloud project with billing enabled, a load balancer serving Compute Engine instances, a registered domain name, and code to verify user identity.\u003c/p\u003e\n"],["\u003cp\u003eIAP utilizes a Google-managed OAuth client for user authentication, primarily allowing access to users within the organization, but can be configured for external users.\u003c/p\u003e\n"],["\u003cp\u003eIAP can be enabled on a Compute Engine forwarding rule using load balancer authorization policies, or directly on a backend service using the console, gcloud CLI, or API.\u003c/p\u003e\n"],["\u003cp\u003eOnce enabled, access to IAP-protected resources is managed by assigning the "IAP-Secured Web App User" role to specific Google accounts, groups, service accounts, or Google Workspace domains.\u003c/p\u003e\n"]]],[],null,["# Enable IAP for Compute Engine\n\nThis page explains how to secure a Compute Engine instance with\n[Identity-Aware Proxy (IAP)](/iap/docs/concepts-overview).\n\nBefore you begin\n----------------\n\nTo enable IAP for Compute Engine, you need the\nfollowing:\n\n- A Google Cloud console project with billing enabled.\n- A group of one or more Compute Engine instances, served by a load balancer.\n - Learn about [Setting up an external HTTPS load balancer](/load-balancing/docs/https/setting-up-https).\n - Learn about [setting up an internal HTTP load balancer](/load-balancing/docs/l7-internal/setting-up-l7-internal).\n- A domain name registered to the address of your load balancer.\n- Application code to verify that all requests have an identity.\n - Learn about [Getting the user's identity](/iap/docs/identity-howto).\n\nIf you don't have your Compute Engine instance set up already, see\n[Setting up IAP for Compute Engine](/iap/docs/tutorial-gce)\nfor a complete walkthrough.\n\nIAP uses a Google-managed OAuth client to authenticate users.\nOnly users within the organization can access the IAP-enabled\napplication. If you want to allow access to users outside of your organization,\nsee [Enable IAP for external applications](/iap/docs/custom-oauth-configuration).\n| **Note:** The ability to authenticate users with a Google-managed OAuth client is available in [Preview](/products#product-launch-stages).\n\nYou can enable IAP on a Compute Engine\n[backend service](/load-balancing/docs/backend-service) or on a\nCompute Engine [forwarding rule](/load-balancing/docs/forwarding-rule-concepts).\nWhen you enable IAP on a Compute Engine backend service,\nonly that backend service is protected by IAP. When you enable\nIAP on a Compute Engine forwarding rule, all of the\nCompute Engine instances behind the forwarding rule are protected by\nIAP.\n\nEnable IAP on a forwarding rule\n-------------------------------\n\nYou can enable IAP on a forwarding rule by using the\nload balancer [authorization policies](/load-balancing/docs/auth-policy/auth-policy-overview)\nframework. \n\n### gcloud\n\n1. Run the following command to prepare a `policy.yaml` file.\n\n $ cat \u003c\u003c EOF \u003e policy.yaml\n action: CUSTOM\n description: authz policy with Cloud IAP\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eAUTHZ_POLICY_NAME\u003c/span\u003e\u003c/var\u003e\n customProvider:\n cloudIap: {}\n target:\n loadBalancingScheme: EXTERNAL_MANAGED\n resources:\n - https://www.googleapis.com/compute/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/regions/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/forwardingRules/\u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e\n EOF\n\n1. Run the following command to enable IAP on a forwarding rule.\n\n```\ngcloud beta network-security authz-policies import AUTHZ_POLICY_NAME \\\n--source=policy.yaml \\\n--location=LOCATION \\\n--project=PROJECT_ID\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The region that the resource is located in.\n- \u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e: The ID of the forwarding rule resource.\n- \u003cvar translate=\"no\"\u003eAUTHZ_POLICY_NAME\u003c/var\u003e: The name of the authorization policy.\n\n### API\n\n1. Run the following command to prepare a `policy.json` file. \n\n ```\n cat \u003c\u003c EOF \u003e policy.json\n {\n \"name\": \"AUTHZ_POLICY_NAME\",\n \"target\": {\n \"loadBalancingScheme\": \"INTERNAL_MANAGED\",\n \"resources\": [\n \"https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID\"\n ],\n },\n \"action\": \"CUSTOM\",\n \"httpRules\": [],\n \"customProvider\": {\n \"cloudIap\": {}\n }\n }\n EOF\n ```\n2. Run the following command to enable IAP on a forwarding rule.\n\n ```\n curl -X PATCH \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Accept: application/json\" \\\n -H \"Content-Type: application/json\" \\\n -d @policy.json \\\n \"https://networksecurity.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/authzPolicies\"\n ```\n\n \u003cbr /\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: The Google Cloud project ID.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: The region that the resource is located in.\n - \u003cvar translate=\"no\"\u003eFORWARDING_RULE_ID\u003c/var\u003e: The ID of the forwarding rule resource.\n - \u003cvar translate=\"no\"\u003eAUTHZ_POLICY_NAME\u003c/var\u003e: The name of the authorization policy.\n\nAfter you enable IAP on a forwarding rule, you can\n[apply permissions to resources](/iap/docs/auth-policies#apply_permissions_to_resources).\n\nEnable IAP on a Compute Engine backend service\n----------------------------------------------\n\nYou can enable IAP on a Compute Engine backend service\nthrough that backend service. \n\n### console\n\nThe Google-managed OAuth client is not available when enabling IAP using the Google Cloud console.\n\nIf you haven't configured your project's OAuth consent screen, you'll be\nprompted to do so. To configure your OAuth consent screen, see\n[Setting up your OAuth consent screen](https://support.google.com/cloud/answer/10311615).\n\nIf you are running GKE clusters version 1.24 or later, you can configure\nIAP and GKE by using the Kubernetes Gateway API. To do so, complete\nthe following steps and then follow the instructions in\n[Configure IAP](/kubernetes-engine/docs/how-to/configure-gateway-resources#configure_iap).\nDo not configure `BackendConfig`.\n\n### Setting up IAP access\n\n1. Go to the [Identity-Aware Proxy page](https://console.cloud.google.com/security/iap). \n [Go to the Identity-Aware Proxy page](https://console.cloud.google.com/security/iap)\n2. Select the project you want to secure with IAP.\n3. Select the checkbox next to the resource you want to grant access to.\n\n If you don't see a resource, ensure that the resource is created and that\n the BackendConfig Compute Engine ingress controller is synced.\n\n To verify that the backend service is available, run the following\n gcloud command:\n `gcloud compute backend-services list`\n4. On the right side panel, click **Add principal**.\n5. In the **Add principals** dialog that appears, enter the email addresses of groups or individuals who should have the **IAP-secured Web App User** role for the project.\n\n The following kinds of principals can have this role:\n - **Google Account**: user@gmail.com\n - **Google Group**: admins@googlegroups.com\n - **Service account**: server@example.gserviceaccount.com\n - **Google Workspace domain**: example.com\n\n Make sure to add a Google Account that you have access to.\n6. Select **Cloud IAP \\\u003e IAP-secured Web App User** from the **Roles** drop-down list.\n7. Click **Save**.\n\n### Turning on IAP\n\n1. On the **Identity-Aware Proxy** page, under **APPLICATIONS** , find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource, toggle the on/off switch in the **IAP** column. \n To enable IAP:\n - At least one protocol in the load balancer frontend configuration must be HTTPS. Learn about [setting up\n a load balancer](/iap/docs/load-balancer-howto).\n - You need the `compute.backendServices.update`, `clientauthconfig.clients.create`, and `clientauthconfig.clients.getWithSecret` permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, see [Managing access to IAP-secured resources](/iap/docs/managing-access#turning_on_and_off).\n2. In the **Turn on IAP** window that appears, click **Turn On** to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the **IAP-Secured Web App User** role on the project will be given access.\n\n### gcloud\n\nBefore you set up your project and IAP, you need an up-to-date version of the\ngcloud CLI. For instructions on how to install the gcloud CLI,\nsee [Install the gcloud CLI](/sdk/downloads).\n\n1. To authenticate, use the Google Cloud CLI and run the following command. \n\n gcloud auth login\n\n2. To sign in, follow the URL that appears.\n3. After you sign in, copy the verification code that appears and paste it in the command line.\n4. Run the following command to specify the project that contains the resource that you want to protect with IAP. \n\n gcloud config set project \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n5. To enable IAP, run either the globally or regionally scoped command. \n\n Global scope \n\n gcloud compute backend-services update \u003cvar translate=\"no\"\u003eBACKEND_SERVICE_NAME\u003c/var\u003e --global --iap=enabled\n\n Regional scope \n\n gcloud compute backend-services update \u003cvar translate=\"no\"\u003eBACKEND_SERVICE_NAME\u003c/var\u003e --region \u003cvar translate=\"no\"\u003eREGION_NAME\u003c/var\u003e --iap=enabled\n\nAfter you enable IAP, you can use the gcloud CLI to modify\nthe IAP access policy using the IAM role\n`roles/iap.httpsResourceAccessor`. Learn more about\n[managing roles and permissions](/iam/docs/granting-changing-revoking-access).\n\n### API\n\n1. Run the following command to prepare a `settings.json` file.\n\n ```\n cat \u003c\u003c EOF \u003e settings.json\n {\n \"iap\":\n {\n \"enabled\":true\n }\n }\n EOF\n ```\n\n \u003cbr /\u003e\n\n2. Run the following command to enable IAP.\n\n ```\n curl -X PATCH \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Accept: application/json\" \\\n -H \"Content-Type: application/json\" \\\n -d @settings.json \\\n \"https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/REGION/backendServices/BACKEND_SERVICE_NAME\"\n ```\n\n \u003cbr /\u003e\n\nAfter you enable IAP, you can use the Google Cloud CLI to modify the\nIAP access policy using the IAM role\n`roles/iap.httpsResourceAccessor`. Learn more about\n[managing roles and permissions](/iam/docs/granting-changing-revoking-access)."]]
