為 Compute Engine 啟用 IAP

本頁面說明如何使用 Identity-Aware Proxy (IAP) 保護 Compute Engine 執行個體。

事前準備

如要為 Compute Engine 啟用 IAP,請先準備好下列項目:

如果您尚未設定 Compute Engine 執行個體,請參閱「為 Compute Engine 設定 IAP」一文,取得完整逐步操作說明。

IAP 會使用 Google 代管的 OAuth 用戶端來驗證使用者。只有機構內的使用者可以存取啟用 IAP 的應用程式。如要允許機構外使用者存取,請參閱「為外部應用程式啟用應用程式內購功能」。

您可以在 Compute Engine 後端服務或 Compute Engine 轉送規則上啟用 IAP。在 Compute Engine 後端服務上啟用 IAP 時,只有該後端服務受到 IAP 保護。在 Compute Engine 轉送規則上啟用 IAP 後,轉送規則後方的所有 Compute Engine 執行個體都會受到 IAP 保護。

在轉送規則中啟用 IAP

您可以使用負載平衡器的授權政策架構,在轉送規則中啟用 IAP。

gcloud

  1. Run the following command to prepare a policy.yaml file. The policy allows clients with an IP address range of 10.0.0.0/24 to enable IAP on a forwarding rule.
$ cat << EOF > policy.yaml
action: CUSTOM
description: authz policy with Cloud IAP
name: AUTHZ_POLICY_NAME
httpRules:
  - from:
      sources:
      - ipBlocks:
        - prefix: "10.0.0.0"
          length: 24
customProvider:
  cloudIap: {}
target:
  loadBalancingScheme: EXTERNAL_MANAGED
  resources:
  - https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID
EOF
  1. Run the following command to enable IAP on a forwarding rule.
gcloud network-security authz-policies import AUTHZ_POLICY_NAME \
--source=policy.yaml \
--location=LOCATION \
--project=PROJECT_ID

Replace the following:

  • PROJECT_ID: The Google Cloud project ID.
  • LOCATION: The region that the resource is located in.
  • FORWARDING_RULE_ID: The ID of the forwarding rule resource.
  • AUTHZ_POLICY_NAME: The name of the authorization policy.

API

  1. Run the following command to prepare a policy.json file. 
    cat << EOF > policy.json
{
"name": "AUTHZ_POLICY_NAME",
"target": {
  "loadBalancingScheme": "INTERNAL_MANAGED",
  "resources": [
    "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/regions/LOCATION/forwardingRules/FORWARDING_RULE_ID"
  ],
},
"action": "CUSTOM",
"httpRules": [
  {
    "from": {
      "sources": {
        "ipBlocks": [
          {
            "prefix": "10.0.0.0",
            "length": 24
          }
        ]
      }
    }
  }
],
"customProvider": {
  "cloudIap": {}
}
}
EOF

  2. Run the following command to enable IAP on a forwarding rule. 

    curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @policy.json \
"https://networksecurity.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/authzPolicies"

    Replace the following:

    • PROJECT_ID: The Google Cloud project ID.
    • LOCATION: The region that the resource is located in.
    • FORWARDING_RULE_ID: The ID of the forwarding rule resource.
    • AUTHZ_POLICY_NAME: The name of the authorization policy.

在轉送規則中啟用 IAP 後,您就可以將權限套用至資源

在 Compute Engine 後端服務上啟用 IAP

您可以透過該後端服務,在 Compute Engine 後端服務上啟用 IAP。

主控台

使用 Google Cloud 主控台啟用 IAP 時,Google 代管的 OAuth 用戶端就無法使用。

If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.

If you are running GKE clusters version 1.24 or later, you can configure IAP and GKE by using the Kubernetes Gateway API. To do so, complete the following steps and then follow the instructions in Configure IAP. Do not configure BackendConfig.

Setting up IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.

  3. Select the checkbox next to the resource you want to grant access to.

    If you don't see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controller is synced.

    To verify that the backend service is available, run the following gcloud command:

    gcloud compute backend-services list
  4. On the right side panel, click Add principal.
  5. In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of principals can have this role:

    • Google Account: user@gmail.com
    • Google Group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com

    Make sure to add a Google Account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.

Turning on IAP

  1. On the Identity-Aware Proxy page, under APPLICATIONS, find the load balancer that serves the instance group you want to restrict access to. To turn on IAP for a resource,
    To enable IAP:
    • At least one protocol in the load balancer frontend configuration must be HTTPS. Learn about setting up a load balancer.
    • You need the compute.backendServices.update, clientauthconfig.clients.create, clientauthconfig.clients.update, and clientauthconfig.clients.getWithSecret permissions. These permissions are granted by roles, such as the Project Editor role. To learn more, see Managing access to IAP-secured resources.
  2. In the Turn on IAP window that appears, click Turn On to confirm that you want IAP to secure your resource. After you turn on IAP, it requires login credentials for all connections to your load balancer. Only accounts with the IAP-Secured Web App User role on the project will be given access.

gcloud

您需要最新版的 gcloud CLI,才能設定專案和 IAP。如需安裝 gcloud CLI 的操作說明,請參閱「安裝 gcloud CLI」。

  1. 如要驗證,請使用 Google Cloud CLI 執行下列指令。 
    gcloud auth login
  2. 如要登入,請前往顯示的網址。
  3. 登入之後,複製顯示的驗證碼並貼到指令列中。
  4. 執行下列指令,指定包含您要使用 IAP 保護的資源的專案。
    gcloud config set project PROJECT_ID
  5. 如要啟用 IAP,請執行全域或區域範圍的指令。

    全域範圍 
    gcloud compute backend-services update BACKEND_SERVICE_NAME --global --iap=enabled
     區域範圍 
    gcloud compute backend-services update BACKEND_SERVICE_NAME --region REGION_NAME --iap=enabled

啟用 IAP 後,您可以使用 gcloud CLI 以 IAM 角色 roles/iap.httpsResourceAccessor 修改 IAP 存取權政策。進一步瞭解如何管理角色和權限

API

  1. Run the following command to prepare a settings.json file. 

    cat << EOF > settings.json
{
"iap":
  {
    "enabled":true
  }
}
EOF

  2. Run the following command to enable IAP. 

    curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d @settings.json \
"https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/REGION/backendServices/BACKEND_SERVICE_NAME"

After you enable IAP, you can use the Google Cloud CLI to modify the IAP access policy using the IAM role roles/iap.httpsResourceAccessor. Learn more about managing roles and permissions.