本文档介绍了何时以及如何为 Identity-Aware Proxy (IAP) 自定义 OAuth 配置。
IAP 使用 Google 管理的 OAuth 客户端对用户进行身份验证。
当用户通过浏览器访问启用了 IAP 的应用时,Google 管理的 OAuth 客户端会限制同一组织内的用户访问该应用。
何时使用自定义 OAuth 配置
您必须使用自定义 OAuth 配置才能执行以下操作:
- 允许组织外部的用户访问启用了 IAP 的应用。
- 在身份验证期间显示您自己的品牌信息。
- 如需启用对应用的程序化访问,
自定义 OAuth 配置时,您必须配置 OAuth 同意屏幕。这要求应用的品牌信息必须经过 Google 验证流程。如需详细了解验证流程,请参阅设置 OAuth 权限请求页面。
您负责为自定义 OAuth 客户端创建和管理凭据。这包括安全地存储客户端密钥,并在必要时与获授权的用户共享。
Google 管理的 OAuth 客户端与自定义 OAuth 客户端的比较
Google 管理的 OAuth 客户端无法以编程方式访问受 IAP 保护的应用。不过,您仍然可以使用通过 programmatic_clients 设置或服务账号 JWT 配置的单独 OAuth 客户端,以编程方式访问使用 Google 管理的 OAuth 客户端的 IAP 保护应用。
下表比较了 Google 管理的 OAuth 客户端与自定义 OAuth 客户端。
| Google 管理的 OAuth 客户端 | 自定义 OAuth 客户端 | |
|---|---|---|
| 用户 | 仅限内部使用 | 内部和外部 |
| 品牌 | Google Cloud brand | 客户自有品牌 |
| OAuth 配置 | 已配置 Google | 客户配置 |
| OAuth 凭据 | 由 Google 管理 | 由客户管理 |
| 应用访问权限 | 仅限浏览器流程 | 浏览器流程和以编程方式访问 |
使用自定义 OAuth 客户端配置启用 IAP
以下部分介绍了如何为不同资源使用自定义 OAuth 客户端配置启用 IAP。
App Engine
控制台
If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.
Setting up IAP access
-
Go to the
Identity-Aware Proxy page.
Go to the Identity-Aware Proxy page - Select the project you want to secure with IAP.
- Select the checkbox next to the resource you want to grant access to.
- On the right side panel, click Add principal.
-
In the Add principals dialog that appears, enter the email addresses of groups or
individuals who should have the IAP-secured Web App User role for the project.
The following kinds of principals can have this role:
- Google Account: user@gmail.com
- Google Group: admins@googlegroups.com
- Service account: server@example.gserviceaccount.com
- Google Workspace domain: example.com
Make sure to add a Google Account that you have access to.
- Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
- Click Save.
Turning on IAP
-
On the Identity-Aware Proxy page, under APPLICATIONS,
find the application you want to restrict
access to. To turn on IAP for a resource,
- In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.
gcloud
Before you set up your project and IAP, you need an up-to-date version of gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.
-
To authenticate, use the Google Cloud CLI and run the following command.
gcloud auth login - To sign in, follow the URL that appears.
- After you sign in, copy the verification code that appears and paste it in the command line.
-
Run the following command to specify the project that contains the resource that you want to protect with IAP.
gcloud config set project PROJECT_ID - Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.
- Save the OAuth client ID and secret.
-
To enable IAP, run the following command.
gcloud iap web enable \ --oauth2-client-id=CLIENT_ID \ --oauth2-client-secret=CLIENT_SECRET \ --resource-type=app-engine
After you enable IAP, you can use the gcloud CLI to modify the
IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
API
Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.
Save the OAuth client ID and secret.
Run the following command to prepare a
settings.jsonfile.cat << EOF > settings.json { "iap": { "enabled": true, "oauth2ClientId": "CLIENT_ID", "oauth2ClientSecret":" CLIENT_SECRET" } } EOFRun the following command to enable IAP.
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @settings.json \ "https://appengine.googleapis.com/v1/apps/PROJECT_ID?updateMask=iap"
After you enable IAP, you can use the Google Cloud CLI to modify the
IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
Compute Engine
控制台
如果您尚未配置项目的 OAuth 同意屏幕,系统将提示您执行此操作。如需配置 OAuth 同意屏幕,请参阅设置 OAuth 同意屏幕。
如果您运行的是 GKE 1.24 版或更高版本的集群,则可以使用 Kubernetes Gateway API 配置 IAP 和 GKE。为此,请完成以下步骤,然后按照配置 IAP 中的说明操作。
请勿配置 BackendConfig。
设置 IAP 访问权限
-
转到 Identity-Aware Proxy 页面。
转到 Identity-Aware Proxy 页面 - 选择要使用 IAP 保护的项目。
-
选中您要授予访问权限的资源旁边的复选框。
如果您未看到资源,请确保已创建该资源,并且 BackendConfig Compute Engine 入口控制器已同步。
如需验证后端服务是否可用,请运行以下 gcloud 命令:
gcloud compute backend-services list - 在右侧面板上,点击添加主账号。
-
在显示的添加主账号对话框中,输入群组或个人(应拥有项目的 IAP-secured Web App User 角色)的电子邮件地址。
以下种类的主账号可以具有此角色:
- Google 账号:user@gmail.com
- Google 网站论坛:admins@googlegroups.com
- 服务账号:server@example.gserviceaccount.com
- Google Workspace 网域:example.com
请务必添加您有权访问的 Google 账号。
- 从角色下拉列表中选择 Cloud IAP > 受 IAP 保护的网页应用用户。
- 点击保存。
启用 IAP
-
在 Identity-Aware Proxy 页面的应用下方,找到用于处理要限制访问的 instance group 的负载均衡器。如需为某资源开启 IAP,请
如需启用 IAP,需要满足以下条件:- 负载平衡器前端配置中至少一个协议必须是 HTTPS。了解设置负载平衡器。
-
您需要
compute.backendServices.update、clientauthconfig.clients.create、clientauthconfig.clients.update和clientauthconfig.clients.getWithSecret权限。这些权限由 Project Editor 等角色授予。如需了解详情,请参阅管理对受 IAP 保护的资源的访问权限。
- 在出现的开启 IAP 窗口中,点击开启以确认您想用 IAP 保护资源。开启 IAP 后,它需要向对负载平衡器的所有连接请求索要登录凭据。只有具有项目的 IAP-Secured Web App User 角色的账号才能获得访问权限。
gcloud
Before you set up your project and IAP, you need an up-to-date version of the gcloud CLI. For instructions on how to install the gcloud CLI, see Install the gcloud CLI.
-
To authenticate, use the Google Cloud CLI and run the following command.
gcloud auth login - To sign in, follow the URL that appears.
- After you sign in, copy the verification code that appears and paste it in the command line.
-
Run the following command to specify the project that contains the resource that you want to protect with IAP.
gcloud config set project PROJECT_ID
- Follow the instructions in Creating OAuth clients for IAP. to configure the OAuth consent screen and create the OAuth client.
- Save the OAuth client ID and secret.
-
To enable IAP, run either the globally or regionally scoped command.
Global scopegcloud compute backend-services update BACKEND_SERVICE_NAME \ --global \ --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRETgcloud compute backend-services update BACKEND_SERVICE_NAME \ --region REGION_NAME \ --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET
After you enable IAP, you can use the gcloud CLI to modify the
IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
API
按照为 IAP 创建 OAuth 客户端中的说明配置 OAuth 权限请求页面和创建 OAuth 客户端。
保存 OAuth 客户端 ID 和 Secret。
运行以下命令以准备
settings.json文件。cat << EOF > settings.json { "iap": { "enabled": true, "oauth2ClientId": "CLIENT_ID", "oauth2ClientSecret": "CLIENT_SECRET" } } EOF运行以下命令以启用 IAP。
curl -X PATCH \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -d @settings.json \ "https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/REGION/backendServices/BACKEND_SERVICE_NAME"
启用 IAP 后,您可以使用 gcloud CLI 通过 IAM 角色 roles/iap.httpsResourceAccessor 修改 IAP 访问权限政策。详细了解如何管理角色和权限。
Cloud Run
控制台
If you haven't configured your project's OAuth consent screen, you're prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen
Setting up IAP access
- Open the Identity-Aware Proxy page.
Go to Identity-Aware Proxy - Select the project you want to secure with IAP.
- Under Applications, select the checkbox next to the load balancer backend service to which you want to add members.
- On the right side panel, click Add member.
In the Add members dialog, enter the accounts of groups or individuals who should have the IAP-secured Web App User role for the project. The following kinds of accounts can be members:
- Google Account: user@gmail.com - This can also be a Google Workspace account, such as user@google.com or some other Google Workspace domain.
- Google Group: admins@googlegroups.com
- Service account: server@example.gserviceaccount.com
- Google Workspace domain: example.com
Select Cloud IAP > IAP-secured Web App User from the Roles list.
Click Save.
Turning on IAP
- On the IAP page, under Applications, find the load balancer backend service to which you want to restrict access. Click the IAP toggle to enable IAP on a resource.
- In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.
To authorize IAP to send traffic to the backend Cloud Run service, follow the instructions at Add principals to a service to add the following principle and role.
- Principal:
service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com - Role: Cloud Run Invoker
- Principal:
gcloud
- Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.
- Save the OAuth client ID and secret.
- If you have not previously done so, create a service account by running the following command. If you previously created a service account, running the command does not create duplicate service accounts.
gcloud beta services identity create \ --service=iap.googleapis.com --project=PROJECT_ID - Grant the invoker permission to the service account, created in the previous step, by running the following command.
gcloud run services add-iam-policy-binding SERVICE-NAME \ --member='serviceAccount:service-PROJECT-NUMBER@gcp-sa-iap.iam.gserviceaccount.com' \ --role='roles/run.invoker' Enable IAP by running either the globally or regionally scoped command, depending on whether your load balancer backend service is global or regional. Use the OAuth client ID and secret from the previous step.
Global scope
gcloud compute backend-services update BACKEND_SERVICE_NAME \ --global \ --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRETRegional scope
gcloud compute backend-services update BACKEND_SERVICE_NAME \ --region REGION_NAME \ --iap=enabled,oauth2-client-id=CLIENT_ID,oauth2-client-secret=CLIENT_SECRET- BACKEND_SERVICE_NAME: the name of the backend service.
- CLIENT_ID: the OAuth client ID, from the previous step.
- CLIENT_SECRET: the OAuth client secret, from the previous step.
- REGION_NAME: the region in which you want to enable IAP.
After you enable IAP, you can use the Google Cloud CLI to modify the IAP access policy using the Identity and Access Management role roles/iap.httpsResourceAccessor. See Managing roles and permissions for more information.
Google Kubernetes Engine
控制台
如果您尚未配置项目的 OAuth 同意屏幕,系统将提示您执行此操作。如需配置 OAuth 同意屏幕,请参阅设置 OAuth 同意屏幕。
如果您运行的是 GKE 1.24 版或更高版本的集群,则可以使用 Kubernetes Gateway API 配置 IAP 和 GKE。为此,请完成以下步骤,然后按照配置 IAP 中的说明操作。
请勿配置 BackendConfig。
设置 IAP 访问权限
-
转到 Identity-Aware Proxy 页面。
转到 Identity-Aware Proxy 页面 - 选择要使用 IAP 保护的项目。
-
选中您要授予访问权限的资源旁边的复选框。
如果您未看到资源,请确保已创建该资源,并且 BackendConfig Compute Engine 入口控制器已同步。
如需验证后端服务是否可用,请运行以下 gcloud 命令:
gcloud compute backend-services list - 在右侧面板上,点击添加主账号。
-
在显示的添加主账号对话框中,输入群组或个人(应拥有项目的 IAP-secured Web App User 角色)的电子邮件地址。
以下种类的主账号可以具有此角色:
- Google 账号:user@gmail.com
- Google 网站论坛:admins@googlegroups.com
- 服务账号:server@example.gserviceaccount.com
- Google Workspace 网域:example.com
请务必添加您有权访问的 Google 账号。
- 从角色下拉列表中选择 Cloud IAP > 受 IAP 保护的网页应用用户。
- 点击保存。
启用 IAP
-
在 Identity-Aware Proxy 页面的应用下方,找到用于处理要限制访问的 instance group 的负载均衡器。如需为某资源开启 IAP,请
如需启用 IAP,需要满足以下条件:- 负载平衡器前端配置中至少一个协议必须是 HTTPS。了解设置负载平衡器。
-
您需要
compute.backendServices.update、clientauthconfig.clients.create、clientauthconfig.clients.update和clientauthconfig.clients.getWithSecret权限。这些权限由 Project Editor 等角色授予。如需了解详情,请参阅管理对受 IAP 保护的资源的访问权限。
- 在出现的开启 IAP 窗口中,点击开启以确认您想用 IAP 保护资源。开启 IAP 后,它需要向对负载平衡器的所有连接请求索要登录凭据。只有具有项目的 IAP-Secured Web App User 角色的账号才能获得访问权限。
GKE
Configure the BackendConfig
If you are running GKE clusters version 1.24 or later, you can configure IAP and GKE by using the Kubernetes Gateway API. See Configure IAP for instructions.
Follow the instructions in Creating OAuth clients for IAP to configure the OAuth consent screen and create the OAuth client.
Create a Kubernetes Secret to wrap the OAuth client.
kubectl create secret generic MY_SECRET --from-literal=client_id=CLIENT_ID \ --from-literal=client_secret=CLIENT_SECRET
MY_SECRET: The name of the secret to createCLIENT_ID: The OAuth client IDCLIENT_SECRET: The OAuth client secret
You should receive confirmation, like the following output, that the Secret was successfully created:
secret "MY_SECRET" created
Add the OAuth credentials to the BackendConfig.
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: CONFIG_DEFAULT namespace: my-namespace spec: iap: enabled: true oauthclientCredentials: secretName: MY_SECRETEnable IAP by associating Service ports with your BackendConfig. See Associating BackendConfig with your Ingress. One way to make this association is to make all ports for the service default to your BackendConfig, which you can do by adding the following annotation to your Service resource:
metadata: annotations: beta.cloud.google.com/backend-config: '{"default": "CONFIG_DEFAULT"}}'
After you enable IAP, you can use the gcloud CLI to modify the
IAP access policy using the IAM role
roles/iap.httpsResourceAccessor. Learn more about
managing roles and permissions.
Troubleshooting
If the secretName you referenced doesn't exist or isn't structured
properly, one of the following error messages will display:
BackendConfig default/config-default is not valid: error retrieving secret "foo": secrets "foo" not found.To resolve this error, make sure that you've created the Kubernetes Secret correctly as described in step 2.BackendConfig default/config-default is not valid: secret "foo" missing client_secret data.To resolve this error, make sure that you've created the OAuth credentials correctly. Also, make sure that you referenced the correctclient_idandclient_secretkeys.