Skip to main content

Applying Google Cloud Identity-Aware Proxy to Restrict Application Access

Hands-On Lab

 

Photo of Joseph Lowery

Joseph Lowery

Google Cloud Training Architect II in Content

Length

00:30:00

Difficulty

Beginner

Google Cloud Identity-Aware Proxy (Cloud IAP) makes it possible to restrict access to applications served over internet-accessible URLs without going through a VPN. Cloud IAP is very straightforward to set up and manage. In this hands-on lab, we’ll deploy a simple application on App Engine and then set up IAP for a selected user. Direct testing will quickly demonstrate restricted and non-restricted access.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Applying Google Cloud Identity-Aware Proxy to Restrict Application Access

Introduction

Google Cloud Identity-Aware Proxy (Cloud IAP) makes it possible to restrict access to applications served over internet-accessible URLs without going through a VPN. Cloud IAP is very straightforward to set up and manage. In this hands-on lab, we’ll deploy a simple application on App Engine and then set up IAP for a selected user. Direct testing will quickly demonstrate restricted and non-restricted access.

Logging In to the Environment

  1. On the lab instructions page, right-click the Open GPC Console button.
  2. From the dropdown, select the option to open the link in a private browser window. (Note: Different browsers have different names for a private browser window. On Chrome, you'll choose Open Link in Incognito Window. If you're using Firefox, click Open Link in New Private Window. Etc.)
  3. On the Google sign-in page, enter the unique username you were provided on the lab instructions page. Click Next.
  4. Enter the unique password you were provided on the lab instructions page. Click Next.
  5. On the Welcome to your new account page, click Accept.
  6. In the Welcome L.A.! menu, check the box under Terms of service.
  7. Choose your country of residence, then click AGREE AND CONTINUE.

Enable the Cloud Datastore API and Clone the GitHub Repository

Enable the Cloud Datastore API

  1. From the Google Cloud Platform dashboard, click the navigation menu at the top left of the page.
  2. In the dropdown, select APIs & Services > Library.
  3. On the API Library page, enter "Datastore" in the search bar.
  4. Select the Cloud Datastore API.
  5. Click Enable.
  6. Click the Cloud Shell icon at the top right of the page.
  7. Click START CLOUD SHELL.
  8. When it spins up, run the following command to create a new bucket:
    gsutil mb -c regional -l us-east1 gs://[BUCKET_NAME]

    (Note: The bucket name must be unique.)

  9. Refresh the browser page to verify that the bucket was successfully created.
  10. Enable public access to the bucket.
    gsutil acl ch -u AllUsers:R gs://[BUCKET_NAME]
  11. Refresh the browser page to verify that the bucket is now publicly accessible.

Clone the GitHub Respository

  1. Run the following command in the Cloud Shell:
    git clone https://github.com/linuxacademy/content-gc-essentials
  2. Change to the content-gc-essentials/app-engine-lab directory.
    cd content-gc-essentials/app-engine-lab

Configure and Deploy the App

  1. Click the pencil icon at the top right of the Cloud Shell window to open the Cloud Shell code editor.
  2. In the left navigation panel, select app-engine-lab > config.py.
  3. In the config.py file, set the PROJECT_ID variable to the ID of the current project (you can find this in the Cloud Shell).
  4. Set the CLOUD_STORAGE_BUCKET variable to your unique bucket name.
  5. Click File > Save.
  6. Run the following command in the Cloud Shell to deploy the app:
    gcloud app deploy
  7. At the prompt, enter the number of the region your bucket is in.
  8. At the prompt, enter Y to continue.
  9. Run the following command to view the deployed app:
    gcloud app browse
  10. Click the link in the output to view the LA Music Gallery app.

Configure the OAuth Consent Screen

  1. Go back to the Google Cloud console.
  2. Click the navigation menu at the top left of the page.
  3. From the dropdown, select IAM & admin > Identity-Aware Proxy.
  4. Click CONFIGURE CONSENT SCREEN.
  5. In the Application name field, type "LA Music Gallery".
  6. If the Support email field does not autopopulate, enter the cloud_user email address you were provided for the lab.
  7. Click Save.

Enable and Configure Cloud IAP Access

  1. Click the main navigation menu at the top left of the console.
  2. From the dropdown, select IAM & admin > Identity-Aware Proxy.
  3. On the Identity-Aware Proxy page, click the checkbox next to App Engine app.
  4. In the info panel on the right side of the screen, click ADD MEMBER.
  5. In the Add members to "App Engine app" menu, enter the email address for your personal Google account.
  6. Click Select a role.
  7. From the dropdown, select Cloud IAP > IAP-secured Web App User.
  8. Click Save.
  9. On the Identity-Aware Proxy page, toggle the IAP switch for App Engine app to the "on" position.
  10. In the Turn on IAP menu, verify that the URLs are correct, and click TURN ON.

Test the IAP Configuration

  1. Go back to the Cloud Shell, and click the app link.
  2. You should be directed to an error page that says, "You don't have access".
  3. Click try a different account.
  4. Sign in to your personal Google account (the account we authorized earlier) to confirm that access is granted.

Conclusion

Congratulations, you've successfully completed this hands-on lab!