Configuring Identity-Aware Proxy with Google IAP

When to Use

• When protecting Google Cloud applications (App Engine, Cloud Run, GKE, Compute Engine) with identity-based access
• When implementing context-aware access requiring device posture and location verification
• When providing secure access to internal tools without VPN or public IP exposure
• When needing per-request authentication and authorization for web applications and TCP services
• When configuring programmatic access to IAP-protected resources using service accounts

Do not use for non-HTTP applications that cannot be placed behind an HTTPS load balancer, for public-facing applications that need unauthenticated access, or when applications handle their own authentication and IAP would conflict with existing auth flows.

Prerequisites

• Google Cloud project with billing enabled
• IAP API enabled (gcloud services enable iap.googleapis.com)
• Application deployed behind HTTPS Load Balancer, App Engine, or Cloud Run
• Cloud Identity or Google Workspace for user management
• Access Context Manager API enabled for access levels