Step 3: Configure access
This section provides guidance on different ways to grant access to your MDE deployment, depending on your needs.
SSH tunneling over IAP
To connect to the private IPs of the MDE services, you can use an SSH tunnel to a proxy VM. This approach lets you use local tools like Postman for interacting with the MDE APIs.
The standard MDE deployment
creates a proxy VM called mde-proxy. This machine can proxy
incoming requests to the MDE API gateway or
MDE web interface. This VM
only has a private IP, but IAP lets you to create a secure SSH
tunnel to this machine using
Identity-Aware Proxy (IAP) for TCP forwarding.
The rest of this section explains how to configure IAP for
tunneling traffic to the mde-proxy, and how to create a tunnel to it from your
workstation:
In the Google Cloud console, go to the IAP and click Enable API. This operation may take several minutes to complete.
In the Google Cloud console, go to the IAP and click SSH AND TCP RESOURCES.
Grant permission to users who are authorized to use IAP to connect to
mde-proxyover IAP:Before users can use IAP to connect to
mde-proxy, grant them theroles/iap.tunnelResourceAccessorrole with the following instructions:Select mde-proxy from the list.
Click Add Principal in the right side panel.
Type the email of the principal you want to grant access.
Select the
IAP-secured Tunnel Userrole.
Create a tunnel to the MDE API using the following command:
export MDE_PROXY_ZONE=$(gcloud compute instances list --filter="mde-proxy" \ --format="value(zone)") gcloud compute ssh mde-proxy \ --zone "$MDE_PROXY_ZONE" --tunnel-through-iap \ -- -N -L 8080:api.mde.cloud.google.com:80After running the command, the MDE APIs are accessible under
http://localhost:8080.Create a tunnel to the MDE web interface.
If you created a tunnel to the MDE API in Step 3, you can open a new terminal to execute the commands later. The SSH tunnels to the MDE API and MDE web interface can run in parallel.
export MDE_PROXY_ZONE=$(gcloud compute instances list --filter="mde-proxy" \ --format="value(zone)") gcloud compute ssh mde-proxy \ --zone "$MDE_PROXY_ZONE" --tunnel-through-iap \ -- -N -L 8081:ui.mde.cloud.google.com:80After running the command, the MDE web interface is accessible under
http://localhost:8081.
Configure Identity-Aware Proxy
Identity-Aware Proxy (IAP) lets you securely connect to the internal IPs of the MDE API and web interface, as well as to restrict external access the MDE web interface to only authorized users if you deployed it with the External Load Balancer option.
To use IAP, you must first enable the IAP service API (if you haven't done it already) and configure the OAuth screen:
In the Google Cloud console, go to the IAP and click Enable API. This operation may take several minutes to complete.
Configure the OAuth consent screen for IAP:
In the Google Cloud console, go to the Google Auth Platform page and select the MDE deployment project if prompted.
- On the Overview page, click Create OAuth client.
- Select Web application as application type.
- Enter the Application name you want to display, for example
MDE. - Click Create and OK in the pop up window.
- On the Branding page, make sure you see the App name, User support email and Developer contact information.
To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen.
Configure access to the web interface External HTTP Load Balancer
In this section, you will configure access to the MDE web interface External HTTP Load Balancer using IAP.
If you enabled the External HTTP Load balancer for the MDE web interface, you must use IAP to restrict access to the application to only authorized users.
Before you begin
Make sure you complete the following prerequisites:
- You deployed MDE with the MDE web interface.
- You deployed the MDE web interface with an External HTTP Load Balancer.
- You completed the general IAP configuration steps.
Steps
In the Google Cloud console, go to the IAP page.
Locate the resource corresponding to the external UI service (look for
mde-ui-ext-service).In the IAP column for that resource, toggle the switch to Enabled.
In the confirmation dialog, click Turn On.
Select the checkbox next to the resource name.
In the right side panel, click Add Principal.
Type the email address of the user or group you want to grant access to.
In the Role drop-down, select Cloud IAP > IAP-secured Web App User.
Click Save.
Cross-Organization Access (Optional)
By default, IAP uses Google-managed OAuth clients, which strictly restrict access to users within the same Google Cloud Organization as the project. If your deployment requires access from external users (partners using a different domain), you must use a Custom OAuth client configured with an External user type.
For more details, see the official Google Cloud documentation on Using custom OAuth clients with IAP and Enabling IAP for GKE.
You can configure this using one of the following methods:
Method A: Direct Console Configuration (No GKE Secrets)
If your GKE BackendConfig does not manage IAP
settings (meaning it does not have an iap block, allowing GKE
Ingress to inherit existing settings), you can configure the custom client
directly in the console:
- Configure your project's OAuth consent screen as External (see Configure OAuth consent screen section above). If the app remains in "Testing" status, ensure you add the external users to the Test users list.
- Go to the IAP page.
- For the
mde-ui-ext-serviceresource, click More options (three dots) in the Actions column and select Settings. - Select Custom OAuth.
- Click Auto Generate Credentials (or provide existing credentials if you created them manually in APIs & Services).
- Click Save.
Method B: GKE-Managed Configuration (Using Kubernetes Secrets)
If you prefer to manage IAP configuration using Kubernetes
manifests (GitOps), you must store the credentials in a secret and reference it
in your BackendConfig:
- Configure the OAuth consent screen as External and create OAuth client credentials manually under APIs & Services > Credentials (Web application type).
- Create a Kubernetes Secret in the cluster:
sh kubectl create secret generic iap-oauth-secret \ --namespace=mde \ --from-literal=client_id=YOUR_CLIENT_ID \ --from-literal=client_secret=YOUR_CLIENT_SECRET - Update the
BackendConfigfor your service to reference the secret:yaml spec: iap: enabled: true oauthclientCredentials: secretName: iap-oauth-secret
Configure DNS for MDE web interface
If you enabled the External HTTP Load balancer for the MDE
web interface, you must set the A record of the domain name you assigned to the
variable MDE_UI_DOMAIN_NAME in input.tfvars to the IP
address of the external HTTP load balancer that was deployed to finish
provisioning the Google-managed SSL certificate.
You can look up the IP address of the external HTTP balancer with the following command:
gcloud compute addresses list --filter="name~'.*mde-ui.*'" --format="value(address)" --global
Consult your DNS host for details on how to create an A record.