Cloud Identity-Aware Proxy (Cloud IAP) lets Google Cloud Platform (GCP) customers manage access to apps running in App Engine standard environment, App Engine flexible environment, Compute E 7D28 ngine, and Google Kubernetes Engine.
Cloud IAP can also target apps hosted on-premises or on other cloud providers with a Cloud IAP connector. This configurable Cloud Deployment Manager template creates the resources needed to host and deploy the Cloud IAP connector into a Cloud IAP-enabled GCP project, forwarding authenticated and authorized requests to your app.
Within a GCP project, a Cloud IAP connector deploys an Ambassador proxy on a Google Kubernetes Engine (GKE) cluster. This proxy routes traffic secured by Cloud IAP to your app, indirectly applying Cloud Identity and Access Management (Cloud IAM) access policies.
The following is a summary of the steps required to enable Cloud IAP for your on-premises app. For detailed instructions, see Enabling Cloud IAP for on-premises apps.
-
Enable the following APIs:
-
Grant the Kubernetes Engine Admin role to the default service account,
[PROJECT_NUMBER]@cloudservices.gserviceaccount.com, by going to the Cloud IAM page. -
Upload your SSL certificate(s) for your domain to Google Compute Engine (GCE).
gcloud compute ssl-certificates create [CERTIFICATE_NAME] --private-key=[PRIVATE_KEY_FILE].pem --certificate=[CERTIFICATE_FILE].pem -
To fit your deployment needs, set routing rules and overwrite default parameters in
iap-connector.yamlfile. See the Cloud IAP for on-premises apps overview for information about routing rules. -
Deploy the Cloud IAP connector.
gcloud deployment-manager deployments create <deployment_name> --config=iap-connector.yaml -
Associate your source domain with the public IPv4 address of the load balancer by updating the DNS resource records within your domain manager.
-
Turn on Cloud IAP for your app and set what members have access from the Identity-Aware Proxy page.
-
Ensure traffic to your app has been forwarded from the Cloud IAP connector by checking the header of a request.