Centralize access to your organization’s websites with Identity Aware Proxy (IAP)
HTML-код
- Опубликовано: 25 июл 2024
- Controlling access to websites and apps → goo.gle/2LVC0jD
Control access to your web sites with Identity-Aware Proxy → goo.gle/3o5x5cN
Most large organizations have multiple web systems, from public websites to internal tools used by employees, built on multiple technical platforms. Access control is often fragmented. But there is a better way. In this episode of Serverless Expeditions, we demo how to configure Identity Aware Proxy (IAP) on App Engine, allowing you to seamlessly and securely grant access to internal and external websites.
Timestamps:
1:00 Use cases supported by IAP
4:18 Architecture overview
10:20 Setting up public access
12:55 Setting up public access, but with authentication
18:10 Setting up access for employees only
21:15 Setting up access for employees on secure devices only
Checkout more episodes of Serverless Expeditions → goo.gle/ServerlessExpeditions
Subscribe to get all the episodes as they come out → goo.gle/GCP
#ServerlessExpeditions #ServerlessExpeditionsExtended
Product: IAP, App Engine; fullname: Martin Omander, Charlie Engelke; 
Наука
This sort live demo and use-case based video tutorials are a lot better than definitions and documents. Thanks to the presenters for a clear and precise explanation.
This is how you enable people to learn. Fantastic explanation, with very realistic and valid questions, at a pace, that the average person can understand. Keep up the good work!
One of the best demos and explanatory videos out there from Google. This is an example how demos should be. It really illustrates the capabilities of IAP with real world examples. Question Answer technique really helps.
Thank you for the kind words. Happy to hear the video was helpful!
Thanks Martin/Charly, for me, this is the best way to learn. Practical, easy, clear and short. Great.
Happy to hear the video was useful to you José!
I was just looking for complete my preparation for a GCP certification but wow, this is impressive!
excellent exposure, clear, short and easy to reproduce. Thanks so much
You're very welcome!
Awesome, exact solution which I was looking for. Thank you gentlemen for publishing this in RUclips !!!
One of the best demos I've seen
Best video, i'll do that with Cloud Run and a Load Balancer to allow only our employees for an admin dashboard
Thanks Charlie, great job in explaining those details. I needed this service about three months ago but I found myself difficult to digest and understand all the info by just simply reading from IAP docs. This kind of ‘medium duration’ explainer video is what I really need to fully grasp the possible applicable use cases, not the one with the video title ‘in one minute’ explainer video. Thanks for uploading this guys! 👏🏽
We are happy the video was useful to you! If there are other areas where the docs are hard to digest and a video would help, please let us know!
@@TheMomander Thanks for responding. For some of us (this includes me and my role in my company) would probably avoid to read the full doc about certain topic whenever possible since we intend to find; answers, a (demonstrated) simple use case, and a practical ‘how to do it’ on the gcp console within a short amount of screen time spent possible while most of the time we also tend to skip reading ; the overview, whitepapers, and NEXT session videos. This type of medium duration explainer (with clickable timestamps) convey and addressed what I need perfectly.
If I may suggest, having this type of video episode added to the very first page of the corresponding doc (right below the overview section paragraph) would certainly helps others in absorbing the info about the product/solution a lot faster rather than asking the readers to navigate from one page to another which I personally find that I don’t always get my questions or ‘how to’ search easily getting answered 🙂
Thanks for your comment; it made my day.
Very well explained and articulated. Thanks!
You're very welcome!
Best video I have seen on IAP👌
Thanks!
Wow this is great tutorial with an amazing real time example. Love it. Keep gookgn
This is a great tutorial!
fantastic presentation
Pretty good. Much more engaging than the docs.
We're happy to hear that you found the video useful, Anshuman!
Very nice video!
Can you please tell me if we can do a similar setup for Cloud Run for authentication purpose
Hey thanks for sharing the details. Though one question.. how IAP is making use of Identity platform as explained in flow diagram?
The Cloud Run + IAP integration has now launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.
Hi, where can I find the sample code for web apps?
How it differs from Identity Platform? When I should use IAP over Identity Platform?
Use IAP if you have a predefined list of users who are allowed to use the application, for example employees in an organization. Use Identity Platform if you want new users to be able to sign up in the application.
Would love if you can make something on Cloud run best practices for production and some amazing usecases with cloud run
We'll take this into consideration. I can't make any promises, though!
@@charlieengelke Okay, I can pretty much make a promise. It's being worked on, but it's a fairly long process.
Does IAP also provide for SaaS applications; those applications are deployed on internet?
IAP is great if you know your users ahead of time. So it would work well for a SaaS application if it's a "high-touch" sales process where you sign a contract in a meeting with the customer, get the list of users, and have a few days to add the users to your system. If your SaaS application is self-serve, that is users can sign up themselves without your intervention, you are better off with Firebase Authentication or Cloud Identity Platform. Those tools don't require you add users manually to your backend.
By the way, the Cloud Run + IAP integration has launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.
Really hope IAP will be made available for Cloud Run soon too
Me, too! I can think of lots of use cases.
You can do a trick here. Using IAP with https Load Balancer (LB), and config the LB points to your application that is running on Cloud Run. I have tried and it works.
Hi Niels, this is a great question and we actually answer it in our first episode of #AskGoogleCloud that’s premiering tomorrow March 12th at 10AM PT → goo.gle/3qDQEdy
We’ll also have serverless experts who are going to be answering questions in real-time in the live chat. Drop by to ask your questions or say hello!
@@duylexuan1945 Well done! A simplified Cloud Run + IAP integration has now launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.
@charlie, again a very useful and informative video. Many thanks!
@martin, great product that simplifies our lives, making sure it is secure and reliable.
One question, does the IAP work cCloud Run?
Thanks for the comment! You can use IAP with Cloud Load Balancer, and you can use load balancing with Cloud Run ( cloud.google.com/run/docs/using-gcp-services ). I haven't tried to use those two together, but it seems like it would work. But it's more complicated than just turning IAP on for Cloud Run.
@dSights "Expect" is a bit strong. "Hope for" maybe. We're looking into it.
@dSights Yes. We're putting one together. Production is a long process, so please be patient.
@dSights Coming soon (given that video production takes some time)!
@@CharlesEngelke Hoping to see that demo soon. I've tried to setup the LB with IAP. working fine with App engine. But not with Cloud Run (Getting Forbidden Error). Not sure what is the missing piece
I don’t know you but we have love for ancient maps in common!
That's great to hear, Baptiste!
Hey
I have two services one for frontend the other one is for backend (api).
Without IAP it's working as expected and as i turn on IAP . I am facing an issue.
Access to XMLHttpRequest at ‘hellow-dot-.appspot.com/' from origin ‘.appspot.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource
Any Idea how to solve this ?
Thanks in advanced
When you say that you have "two services", does that mean two different Google Cloud projects? If so, I propose you put both the front-end and back-end in the same project to minimize CORS issues.
System.out.activation=("IAP")
So this is just configuration in IAP for the website. No codes need to be implemented to send or verify JWT?
Correct, IAP handles the login user interface and the token exchange. You may choose verify the JWT header in your application code if you want to make sure that no-one has accidentally turned off IAP.
@@TheMomander How can I do that in the code? can you show any example?
@@ferojmahmood9484 Search for "identity aware proxy securing your app with signed headers" and you will find the doc that describes how. (RUclips will mark my comment as spam if I include a link 🙂)
@@TheMomander I found the code. My question is in a simple "Hello World project" where should I implement this code. When this code will be invoked? IF IAP is disabled, who will send JWT token? I am not clear about that flow when the IAP is disabled by someone.
@@ferojmahmood9484 The JWT will be in the HTTP request header *x-goog-iap-jwt-assertion*. If you want to make sure that your fellow admins haven't turned off IAP, you can verify the JWT with a library in your preferred langauge or by calling the URL in the doc I linked to above. If you trust your fellow admins not to turn off IAP, you don't need to do this check.
Sir memory full help me palees
already watched.
We the public have 300 unknowns on our Gmail account,we are not accorded the same respect.
Kate, would you mind explaining what you mean by "300 unknowns" on your GMail account? What problem are you trying to solve?
300 third party advertisers apps on Gmail accounts. As a user I have no idea who they are and there are too many of them.
Google dealing with this? Protesting! Right of reply is impossible with Google.
Privacy for corporations, open season and free for all on non infrastructure protected users.
Google identity says it all.
This solution work to all websites? like a squid web proxy? I want a solution to integrate with google secure ldap (Google Workspace)
You'd run squid on a Compute Engine virtual machine? You can put IAP in front of Compute Engine. Search for the article "Setting up IAP for Compute Engine". But I'm afraid I haven't done this myself because I usually lean on a serverless platform for proxying and caching.