Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Last Updated: Mar 27, 2024

Advanced Concepts of Identity-Aware Proxy

Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM


In the previous article, we had gone through the details of Basic Concepts of  Identity-Aware Proxy and the details of using IAP for TCP forwarding, programmatic authentication, and setting up an external HTTPS load balancer.

This article will further look into the details of enabling IAP for GKE, managing shared resources, IAP for on-premises applications, and IAP client libraries.

Without further ado, let's get started.

GCP image

Enabling IAP for GKE

For GKE, IAP is incorporated using Ingress. Instead of using a VPN, this integration enables you to manage employee resource-level access.

An element of Cloud Load Balancing called HTTP(S) Load Balancing manages incoming traffic in a GKE cluster. The Kubernetes Ingress controller is often in charge of configuring the HTTP(S) load balancer. A Kubernetes Ingress object linked to one or more Service objects provides configuration data to the Ingress controller. Each Service object contains the routing data necessary to send an incoming request to a certain Pod and port.

Configuring the OAuth consent screen

You must configure the OAuth consent screen for your project if you haven't already. For the OAuth consent screen, a product name and email address are necessary.

  • Access the OAuth consent page.
  • Choose the email address you want to use as a public contact under the Support email. The email address must be linked to the account of the user who is currently signed in or to a Google Group to which the user is a member.
  • Enter the name of the application that you want to appear in.
  • Add any further information you'd like.
  • Press Save.
  • Repeat the previous configuration steps to modify information on the OAuth consent screen later, such as the product name or email address.

Creating OAuth credentials

The following steps create OAuth credentials:

  • Access the Credentials page.
  • Choose OAuth client ID from the Create credentials drop-down list.
  • Choose Web application under Application type.
  • Give your OAuth client ID a name.
  • Press Create. The OAuth client window generates and shows your client secret and client ID.
  • Select OK.
  • Choose the client you just made.
  • To the clipboard, copy the client ID.
  • The following format should be used to add the universal redirect URL to the authorised redirect URIs field:

Example Link:

Setting up IAP access

  • Visit Identity-Aware Proxy's page.
  • Choose the project you wish to use IAP to secure.
  • To allow access to a resource, check the box next to it.
  • Click Add principal in the right side panel.
  • Enter the email addresses of the groups or people who should have the IAP-secured Web App User role for the project in the Add principals dialogue that opens.
  • Principals from the following categories can play this role:
  • A Google Account that you have access to should be added.
  • From the Roles drop-down menu, choose Cloud IAP > IAP-secured Web App User.
  • Press Save.

Let's look at the details of Managing access to IAP-secured resources.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

Managing access to IAP-secured resources

In a Google Cloud project, IAP enables you to set IAP policies for both individual resources and Cloud Run resources. A project may contain multiple apps, each with its own set of access controls. This contains projects with apps on Google Kubernetes Engine, App Engine, and Compute Engine. Different access controls may be applied to different versions and services of App Engine apps.

Add access

Follow the following steps to add access to IAP secured resources:

  • Navigate to Identity-Aware Proxy's page.
  • Choose the resource that you want to IAP-secure. A particular collection of resources is secured by the following resource choices:
    • All Web Services: The project's resources will be protected. Keep in mind that using the IAM admin page to grant project-level access is not the same thing. IAP policies are the only things an individual with the IAP Policy Admin position at the All Web Services resource level may access.
    • Backend Services: All services in the backend will be secure.
  • Include the email addresses of the individuals or groups to whom you wish to grant an Identity and Access Management role for the resource in the right-side Info panel.
  • Choose one of the following roles from the Select a role selection to apply access policy roles to the principal:
    • Owner: IAP Policy Admin-like access is granted by the owner. Instead, utilise the IAP Policy Admin role. This position does not enable access to the app; it just permits changing policies.
    • IAP Policy Admin: Gives access to IAP policies as an administrator.
    • IAP-Secured Web App User: Access to the app and other HTTPS resources that use IAP is granted by the IAP-Secured Web App User.
    • Security Reviewer:  Permission to see and examine IAP policies is granted by the security reviewer.
  • Click Add once you've completed adding email addresses and defining roles.

Remove access

Follow the following steps to remove access to IAP secured resources:

  • Navigate to Identity-Aware Proxy's page.
  • Choose the resource that has IAP security.
  • Choose the part that pertains to the role you want to remove from a principal in the right-side Info panel.
  • Click Remove next to each user or group name in the expanded area for which you wish to remove the role.
  • Click Remove in the Remove main dialogue box that opens.

Let's look into the details of Enabling IAP for on-premises apps.

Enabling IAP for on-premises apps

This section describes how to establish an IAP connector to secure an on-premises, HTTP, or HTTPS-based app that is not hosted by Google Cloud.

Deploy a connector for an on-premises app

Follow the following steps to deploy a connector for an on-premises app:

  • Access the IAP admin page.
  • By selecting On-prem connectors setup, you can start configuring your connector deployment for an on-premises app.
  • By selecting Enable APIs, make sure the necessary APIs are loaded.
  • Selecting the network and subnet for the deployment (or opt to build a new one), decide whether the required deployment should use a Google-managed certificate or one managed by you, and then click Next.
  • The information for the on-premises app you want to add is as follows:
    • A request's external URL that is sent to Google Cloud. Traffic enters the environment at this URL.
    • The app's name. It will also be the name of a brand-new backend service that sits in front of the load balancer.
  • The specifics of the on-premise endpoint type:
    • Names that are fully qualified (FQDN): the website to which the connection should send traffic.
    • IP address: One or more zones (such as us-central1-a) for the deployment of the IAP connector and, for each, the IPv4 address of the destination for the on-premises app to which IAP sends traffic following user authorization and authentication.
    • The on-premise endpoint's protocol.
    • The port number, such as 443 for HTTPS or 80 for HTTP, that the on-premises destination uses.
  • To save the information for that app, click Done. Then, if necessary, you can specify other on-premises apps for the deployment.
  • Click Submit when you're ready to start deploying the defined apps.

Your on-premise connector apps will be visible in the HTTP resources table once the deployment is finished, and IAP may then be activated.

Manage a connector for an on-premises app

Follow the following steps to manage a connector for an on-premises app:

  • By selecting On-prem connections setup, you can add more applications to your deployment at any time.
  • By erasing the deployment as a whole, you can remove the on-premises connector:
    • Visit the page for Deployment Manager.
    • Selecting the checkbox next to the "on-prem-app-deployment" deployment in the list of deployments.
    • Click Delete in the page's header.
  • By selecting the delete option in the On-prem connections setup, you can remove a specific app. At least one app must be present in the on-premises connector. Please delete the entire deployment if you want to remove all apps.

Lets look into the details of IAP client libraries.

IAP client libraries 

This section explains how to get started with the Cloud IAP API's Google API Client Libraries.

Installing the client library

The following command installs the client library.


composer require google/apiclient

Setting up authentication

You must first configure authentication before you can start the client library. As demonstrated in the next several stages, making a service account and setting an environment variable is one approach to achieve that.

  • Setting up the service account


gcloud iam service-accounts create NAME


  • Give the service account roles. For each of the following IAM roles, execute the following command once: roles/owner:


gcloud projects add-iam-policy-binding PROJECT_ID --member="" --role=ROLE


  • Creating the key file:


gcloud iam service-accounts keys create FILE_NAME.json

Set the environment variable GOOGLE APPLICATION CREDENTIALS to provide authentication credentials to your application code. This variable only functions during the current shell session. Set the variable in your shell starting file, such as the ~/.bashrc or ~/.profile file, if you want it to be applicable to subsequent shell sessions.



Let's go through the commands of Hosted sign-in page configuration interfaces.

Hosted sign-in page configuration interfaces 

In order to create a sign-in page for Identity-Aware Proxy using Cloud Run, the UiConfig, ExtendedTenantUiConfig, and SignInOption interfaces are available. This article discusses these interfaces.



interface UiConfig {
  apiKeyValue: {
    authDomain?: string;
    displayMode: string;
    selectTenantUiTitle?: string;
     selectTenantUiLogo?: string;
        styleUrl?: string;
    tenants: {
      tenantIdValue: ExtendedTenantUiConfig;
       tosUrl?: string,
        privacyPolicyUrl?: string,



interface ExtendedTenantUiConfig {
  fullLabel?: string;

  displayName: string;
  iconUrl: string;
    logoUrl?: string;
   buttonColor: string;

  signInOptions: (SignInOption | string)[];
  tosUrl?: string;
  // privacyPolicyUrl?: string;
  immediateFederatedRedirect?: boolean;
    signInFlow?: 'redirect' | 'popup';
    adminRestrictedOperation?: {
    status: boolean;
    adminEmail?: string;
      helpLink?: string;



interface SignInOption {
   provider: string;
   providerName?: string;
  fullLabel?: string;
  hd?: string;

  buttonColor?: string;
  iconUrl?: string;
  scopes?: string[];
    customParameters?: {[key: string]: any};
    loginHintKey?: string;

  requireDisplayName?: boolean;
  recaptchaParameters?: {
       type?: string;
    size?: string;
       badge?: string;
    defaultCountry?: string;
  whitelistedCountries?: string[];
  blacklistedCountries?: string[];
  disableSignUp?: {
        status: boolean;
    adminEmail?: string;
       helpLink?: string;

Frequently Asked Questions

Is IAP a reverse proxy?

IAP is a reverse proxy that is integrated with GCP and other Google products and is given first-class treatment.

What is IAP authentication?

IAP restricts access to users you approve in order to ensure authentication for requests made to virtual machines running on the GCP as well as other cloud-based and on-premises apps.

What is an OATH credential?

The OATH credential may be a HOTP (HMAC-based One-time Password) or a TOTP (Time-based One-time Password).


In this article, we have extensively discussed the details of Advanced Concepts of Identity-Aware Proxy, along with the details of enabling IAP for GKE, managing shared resources, IAP for on-premises applications and IAP client libraries.

We hope that this blog has helped you enhance your knowledge regarding Advanced Concepts of Identity-Aware Proxy, and if you would like to learn more, check out our articles on Google Cloud Certification. You can refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSADBMSCompetitive ProgrammingPythonJavaJavaScript, etc. To practice and improve yourself in the interview, you can also check out Top 100 SQL problemsInterview experienceCoding interview questions, and the Ultimate guide path for interviews. Do upvote our blog to help other ninjas grow. Happy Coding!!

Thank You Image
Topics covered
Enabling IAP for GKE
Configuring the OAuth consent screen
Creating OAuth credentials
Setting up IAP access
Managing access to IAP-secured resources
Add access
Remove access
Enabling IAP for on-premises apps
Deploy a connector for an on-premises app
Manage a connector for an on-premises app
IAP client libraries 
Installing the client library
Setting up authentication
Hosted sign-in page configuration interfaces 
Frequently Asked Questions
Is IAP a reverse proxy?
What is IAP authentication?
What is an OATH credential?