Stay organized with collections
Save and categorize content based on your preferences.
To secure your web resources in a simple-to-manage, scalable, and granular way,
Google Cloud offers context-aware access
via Identity-Aware Proxy (IAP). IAP is designed to
enforce the BeyondCorp security model,
which establishes a zero-trust perimeter on the public internet for secure,
remote work without the need for a traditional VPN.
You can allow secure access to your websites or web apps for users located
anywhere or on any device by using IAP to control granular
restrictions. Access control can be configured based on the user's identity and
context of their request without making additional site changes. You can also
centrally define and enforce access policies across multiple apps and
sites, including
IAM policies with conditional binding.
IAP works with other Google Cloud offerings including App Engine standard environment, Compute Engine, and Google Kubernetes Engine.
Configuring your access levels
When accessing web resources that IAP knows about, users need to log in with their Google identity service credentials (for example, their Gmail or Google Workspace email address) or an LDAP registered with an LDAP directory service that’s synchronized with the Google identity service. If the user is authorized, IAP forwards their request to the web server along with header data that includes the user’s identity.
Figure 1. Controlling user access to web resources behind IAP.
In the Cloud console, you can configure IAP to simply block
unauthorized users from accessing a given resource.
Click Add Principal and add the email addresses of groups
or individuals to whom you want to grant the
IAP-secured Web App User role for the project.
The table below lists some common access scenarios and
the principal to grant access to for each scenario.
Access Level
Example Web Resource
Example Principal
Open, public access
Company public website.
allUsers
User-authenticated access
Site to submit support tickets.
allAuthenticatedUsers
Employee-restricted access
App running on the company intranet.
bigcorpltd.com, contractors@bigcorpltd.com
Highly-sensitive, device and employee-restricted access
App with access to customer private information.
customer.support@bigcorpltd.com
Note: This access level requires adding restriction
information through the Access Context Manager, such as device policy attributes or allowed IP subnetworks. Users
also need to have work profiles on their mobile device or a Chrome extension
set up on their browser.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Controlling access to websites and apps\n\nTo secure your web resources in a simple-to-manage, scalable, and granular way,\nGoogle Cloud offers [context-aware access](/context-aware-access/docs/overview)\nvia [Identity-Aware Proxy](/iap) (IAP). IAP is designed to\nenforce the [BeyondCorp](/beyondcorp) security model,\nwhich establishes a zero-trust perimeter on the public internet for secure,\nremote work without the need for a traditional VPN.\n\nYou can allow secure access to your websites or web apps for users located\nanywhere or on any device by using IAP to control granular\nrestrictions. Access control can be configured based on the user's identity and\ncontext of their request without making additional site changes. You can also\ncentrally define and enforce access policies across multiple apps and\nsites, including\n[IAM policies with conditional binding](/iap/docs/cloud-iap-context-aware-access-howto).\nIAP works with other Google Cloud offerings including [App Engine standard environment](/iap/docs/authenticate-users-google-accounts), [Compute Engine](/iap/docs/enabling-compute-howto), and [Google Kubernetes Engine](/iap/docs/enabling-kubernetes-howto).\n\nConfiguring your access levels\n------------------------------\n\nWhen accessing web resources that IAP knows about, users need to log in with their Google identity service credentials (for example, their Gmail or Google Workspace email address) or an LDAP registered with an LDAP directory service that's synchronized with the Google identity service. If the user is authorized, IAP forwards their request to the web server along with header data that includes the user's identity.\n\n**Figure 1.** Controlling user access to web resources behind IAP.\n\nIn the Cloud console, you can configure IAP to simply block\nunauthorized users from accessing a given resource.\n\nTo do so for a resource on App Engine:\n\n1. Open the [Identity-Aware Proxy page](https://console.cloud.google.com/security/iap) in your active project.\n2. Select the resource you want to modify.\n3. Click **Add Principal** and add the email addresses of groups\n or individuals to whom you want to grant the\n **IAP-secured Web App User** role for the project.\n\n The table below lists some common access scenarios and\n the principal to grant access to for each scenario.\n\n4. Click **Add** to save your changes.\n\nNext steps\n----------\n\n- Get started by familiarizing yourself with [IAP concepts](/iap/docs/concepts-overview) and following the [quickstarts](/iap/docs/quickstarts).\n- Learn more by viewing these introductory videos:\n - [BeyondCorp in a bottle](https://www.youtube.com/watch?v=TtmsV-xq0r0)\n - [Centralize access to your organization's websites with Identity-Aware Proxy](https://youtu.be/xM9-FSU5MoY)\n- Check out these tutorials for using IAP with [App Engine standard environment](/iap/docs/authenticate-users-google-accounts), [Compute Engine](/iap/docs/enabling-compute-howto), [Google Kubernetes Engine](/iap/docs/enabling-kubernetes-howto), and [on-premises apps](/iap/docs/enabling-on-prem-howto)."]]
