IAP implement¶
Overview¶
Identity-Aware Proxy (IAP) managed context to access application and VMs, both for on-prem servers or Google Cloud Platform. It's a Google Cloud service that intercepts requests sent to your application, authenticates the user making the request using the Google Identity Service, and only lets the requests through if they come from a user authorized to access the application. In addition, it can modify the request headers to include information about the authenticated user.
Resources that IAP can handle: App Engine, Cloud Run, Compute Engine, GKE and On-premiese
System architecture design¶
Logical view¶
flowchart LR
user[User]
lb[Load Balancer]
iap[IAP]
run[Cloud Run]
user --> |Request| lb
subgraph "Google Cloud Platform (GCP)"
lb --> iap --> run
endFlow of how IAP work¶
flowchart LR
user[User]
iap[Cloud IAP]
auth{Authenticate}
author{Authorize}
ingress["Ingress control\n------------------------\nCloud Run"]
application[App]
google_sign_in[Google Sign-In]
role_and_perms["Roles and Permissions\n------------------------\nCloud IAM"]
user --> |HTTPS Request to Load Balancer| iap
iap --> auth
auth --> author
author --> ingress
ingress --> application
google_sign_in --> auth
role_and_perms --> authorDeployment Workflow¶
Steps:
The following is the steps to using Identity-Aware Proxy
flowchart TB
enable_api(Enable Identity-Aware Proxy API)
brand("Create OAuth brands")
client("Create OAuth clients")
enable_iap_web("Enable iap web with specifically load balancing")
retrict_access(Retrict access)
deny("Deny all user access service with `cloud_run_service.run.app`")
Start --> | Step 1 | enable_api
enable_api --> | Step 2 | brand
brand --> | Step 3 | client
client --> | Step 4 | enable_iap_web
enable_iap_web --> | Step 5 | retrict_access
retrict_access --> |Step 6| denyCommand line to deploy:
Following steps in above SAD, there are sample commands line for each step.
Step 1: Enable Identity-Aware Proxy API
Step 2: Create OAuth brands
gcloud iap oauth-brands create \
--project=$PROJECT_ID \
--application_title="$APPLICATION_TITLE" \
--support_email=$SUPPORT_EMAIL
Step 3: Create OAuth clients (Skip this step if brand is external)
# Create a client using the brand name
gcloud iap oauth-clients create \
projects/$PROJECT_ID/brands/$PROJECT_NUMBER \
--display_name=$DISPLAY_NAME;
# Store the client name, ID and secret
declare CLIENT_NAME=$(gcloud iap oauth-clients list \
projects/$PROJECT_ID/brands/$PROJECT_NUMBER --format='value(name)' \
--filter="displayName:$DISPLAY_NAME")
declare CLIENT_ID=${CLIENT_NAME##*/}
declare CLIENT_SECRET=$(gcloud iap oauth-clients describe $CLIENT_NAME --format='value(secret)')
Step 4: Enable iap web with specifically load balancing
# If Brand's Application type is External
gcloud iap web enable --resource-type=backend-services \
--service=$BACKEND_SERVICE_NAME;
# If Brand's Application type is Internal
gcloud iap web enable --resource-type=backend-services \
--oauth2-client-id=$CLIENT_ID \
--oauth2-client-secret=$CLIENT_SECRET \
--service=$BACKEND_SERVICE_NAME;
Step 5: Retrict access
# Grant user access to the employee portal
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=$BACKEND_SERVICE_NAME \
--member=user:tien.luong@innotech.vn \
--role='roles/iap.httpsResourceAccessor';
# Grant group access to the employee portal
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=$BACKEND_SERVICE_NAME \
--member=group:data_tem@innotech.vn \
--role='roles/iap.httpsResourceAccessor';
# Grant domain access to the employee portal
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=$BACKEND_SERVICE_NAME \
--member=domain:innotech.vn \
--role='roles/iap.httpsResourceAccessor';
Step 6: Deny all user access service with cloud_run_service.run.app
Deploy your service with the --ingress flag