With the lets-be-bad-guys application installed in our App Engine flexible environment, we will enable the IAP for this application:
- Navigate to the IAM & Admin section and to the submenu Identity-Aware Proxy. You'll be able to see our App Engine application listed:
- Configure the OAuth consent screen, as it is a prerequisite for enabling IAP:
- After setting up the OAuth screen, you'll be able to turn on the IAP option for our App Engine application. For this recipe, we are not using any custom domain, accept the default domain name provided and click on TURN ON:
- Once IAP is enabled, you'll see the configuration requirement flag is set to OK:
- Now, if you navigate to our App Engine URL, you'll be prompted to login to an account. Try to log in using any available Gmail or G Suite account, you'll see a no-access page:
- The access denial is normal as we have not provided access to anyone in our IAP. In the IAP screen, click on the ADD button on the right side access pane.
- You can add a Google account email, a Google group, a service account, or a Google Apps domain. For testing, let's add a Gmail or a G Suite account in order to access our GCP resources:
- This adds the account to the access-allowed member list:
- Navigate to the URL of the App Engine and you'll be able to view the application with the user account shown in the preceding screenshot:
- Without adding authentication into the application, we are now able to control access to our App Engine application using the Identity-Aware Proxy.