The Zero Trust security model is where no person, device, or network is inherently trusted. Granting access is based on numerous factors including but not limited to: identity, device, location, and time of day. One of the primary use cases for Zero-Trust policy enforcement is to provide secure access to web applications, like HTTP/HTTPS-based applications that are hosted on Google Cloud or on-premises data centers. Each web application can have its own access control for precise security and lower risk. Securing the web application doesn't require setting access control lists (ACLs). Instead, setting IP ranges allows for rapid onboarding without compromising security. Architecturally, the primary component to provide zero-trust access is:
Identity-Aware Proxy (IAP) - a policy enforcement engine for ensuring every access request is authorized.
In this lab, you will deploy a sample application to App Engine and enforcing policies using Identity-Aware Proxy (IAP). You will also obtain user identity information in the application protected by IAP.
Learning objectives
Deploying a simple App Engine application using Python.
Enabling Identity Aware Proxy (IAP) to restrict access to the application.
Obtaining user identity information from IAP in your application.
Prerequisites
Basic programming language knowledge (Python)
Setup and requirements
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.
This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.
To complete this lab, you need:
Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
Time to complete the lab—remember, once you start, you cannot pause a lab.
Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.
How to start your lab and sign in to the Google Cloud console
Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method.
On the left is the Lab Details pane with the following:
The Open Google Cloud console button
Time remaining
The temporary credentials that you must use for this lab
Other information, if needed, to step through this lab
Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).
The lab spins up resources, and then opens another tab that shows the Sign in page.
Tip: Arrange the tabs in separate windows, side-by-side.
Note: If you see the Choose an account dialog, click Use Another Account.
If necessary, copy the Username below and paste it into the Sign in dialog.
{{{user_0.username | "Username"}}}
You can also find the Username in the Lab Details pane.
Click Next.
Copy the Password below and paste it into the Welcome dialog.
{{{user_0.password | "Password"}}}
You can also find the Password in the Lab Details pane.
Click Next.
Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials.
Note: Using your own Google Cloud account for this lab may incur extra charges.
Click through the subsequent pages:
Accept the terms and conditions.
Do not add recovery options or two-factor authentication (because this is a temporary account).
Do not sign up for free trials.
After a few moments, the Google Cloud console opens in this tab.
Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.
Activate Cloud Shell
Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.
Click Activate Cloud Shell at the top of the Google Cloud console.
Click through the following windows:
Continue through the Cloud Shell information window.
Authorize Cloud Shell to use your credentials to make Google Cloud API calls.
When you are connected, you are already authenticated, and the project is set to your Project_ID, . The output contains a line that declares the Project_ID for this session:
Your Cloud Platform project in this session is set to {{{project_0.project_id | "PROJECT_ID"}}}
gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
(Optional) You can list the active account name with this command:
gcloud auth list
Click Authorize.
Output:
ACTIVE: *
ACCOUNT: {{{user_0.username | "ACCOUNT"}}}
To set the active account, run:
$ gcloud config set account `ACCOUNT`
(Optional) You can list the project ID with this command:
gcloud config list project
Output:
[core]
project = {{{project_0.project_id | "PROJECT_ID"}}}
Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.
Scenario
You're building a minimal web application with Google App Engine, then exploring various ways to use Identity-Aware Proxy to restrict access to the application and provide user identity information to it. Your app will:
Display a welcome page
Access user identity information provided by IAP
Task 1. Deploy the application and protect it using IAP
The application is an App Engine Standard application written in Python 3.8 that simply displays a "Hello, World" welcome page. You will deploy and test it, then restrict access to it using IAP.
In Cloud Shell, run the following to download the code needed for this lab from GitHub and then change to the code folder:
git clone https://github.com/googlecodelabs/user-authentication-with-iap.git
cd user-authentication-with-iap
Review the application code
Change directories from the main project folder to the 1-HelloWorld folder:
cd 1-HelloWorld
The application code is in the main.py file. It uses the Flask web framework to respond to web requests with the contents of a template. That template file is in templates/index.html, and for this step contains only plain HTML. A second template file contains a skeletal example privacy policy in templates/privacy.html.
There are two other files: requirements.txt lists all the non-default Python libraries the application uses, and app.yaml tells Google Cloud Platform that this is a Python 3.8 App Engine application.
You can list each file in Cloud Shell using the cat command:
cat main.py
You can also open the Cloud Shell Code Editor by clicking Edit () at the top right-hand side of the Cloud Shell window, and examine the code using the editor once it loads.
You do not need to change any files for this step.
Deploy the application to app engine
Now deploy the app to the App Engine Standard environment for Python 3.8.
If you are asked if you want to continue, enter Y for yes.
You may also be asked to Authorize the call made to create the App Engine app. If so click the Authorize button.
In the cloud shell code editor, look at the app.yaml file in 1-HelloWorld folder. And update the runtime python version.
runtime: python39
Run the following command after the create command completes:
gcloud app deploy
If asked to continue, enter Y and press Enter.
Note: Re-run the command to avoid an error if it appears.
In a few minutes the deploy should complete and you will see a message that you can view your application with the following command:
gcloud app browse
Note: Since this is the first time this app is run, it will take a few seconds to appear while a cloud instance is started, and you should see similar output to the following image. Access is not yet restricted.
Click Check my progress to verify the objective.
Deploy the application to App Engine
Restrict access with IAP
Navigate to Navigation Menu > View all products > Security > Identity Aware Proxy, and click on the Enable API button, then Go To Identity Aware Proxy.
Since this is the first time you have enabled an authentication option for this project, you will see a message that you must configure your OAuth consent screen before you can use IAP.
Click on the Configure Consent Screen button. A new tab will open to configure the consent screen.
On the "OAuth Overview" page, click on GET STARTED, then under "App Information" enter your app with a name IAP Example
Provide a user support email address (you can use your Qwiklabs-generated student ID email).
Select a Audience Type as Internal radio option and then click on Next.
Under Contact Information enter the email address student-lab@qwiklabs.net, then click on Next,
Under Finish click on checkbox to Accept terms and conditions and click on Create
Go back to the first browser tab and run the following command in Cloud Shell:
Copy the URL as you will use the output of the commands as input for the form on the OAuth Consent tab.
To view the value populated run:
echo $AUTH_DOMAIN
On the OAuth Overview page, click on Create Auth Client , under Application type select Web Application.
Under Authorized redirect URIs click on + ADD URL an enter URL which received in command output then click Create.
In the remaining tab, navigate to Navigation Menu > View all products > Security > Identity Aware Proxy.
You may need to refresh the page if required.
Click the toggle button in the IAP column in the App Engine app row to turn IAP on for the application deployed in the previous section.
Navigate to the application by holding down the Ctrl/Command key and selecting the URL of the App Engine application in the IAP console.
Sign in with the student user listed in the login form.
You will be shown a screen that informs you that you do not have access to the application.
You have successfully protected your app with IAP, but you have not yet told IAP which accounts to allow through.
Click Check my progress to verify the objective.
Restrict access with IAP
Allow members to access application
Return to the Identity-Aware Proxy page of the console by going to Navigation Menu > View all products > Security > Identity Aware Proxy.
Select the checkbox next to App Engine app, and see the sidebar at the right of the page and click Add Principal.
Copy the Username from the lab console on the top left of the lab and enter it into the New principals input box.
Set its role to Cloud IAP > IAP-secured Web App User.
Click Save when finished. The message "Policy Updated" will appear at the bottom of the window.
Click Check my progress to verify the objective.
Allow member to access application
Verify access is restored
Navigate back to your app engine application and reload the page. You should now see your web app, since you already logged in with a user you authorized.
However, you may still see the "You don't have access" page since IAP may not recheck your authorization due to a login cookie being stored.
In that case, do the following steps:
Open your web browser to the home page address with /_gcp_iap/clear_login_cookie added to the end of the URL, as in https://iap-example-999999.appspot.com/_gcp_iap/clear_login_cookie.
Note: Use the URL from the app engine application you deployed earlier in the lab. The above URL is an example.
You will see a new Sign in with Google screen, with your account already showing.
Note: Do not click the account!
Click Use another account and re-enter your credentials.
These steps cause IAP to recheck your access and you should now see your application's home screen.
Task 2. Access user identity information
Once an app is protected with IAP, it can use the identity information that IAP provides in the web request headers it passes through. In this step, the application will get the logged-in user's email address and a persistent unique user ID assigned by the Google Identity Service to that user. That data will be displayed to the user in the welcome page.
In Cloud Shell enter the following command:
cd ~/user-authentication-with-iap/2-HelloUser
In the Cloud Shell code editor, look at the app.yaml file in 2-HelloUser folder and update the runtime python version:
runtime: python39
Deploy to App Engine using the following command:
gcloud app deploy
Note: You may be asked to Authorize the call to deploy the application.
Enter Y if asked to continue.
When the deployment is ready, enter the following command:
gcloud app browse
If a new tab does not open on your browser, copy the displayed link and open it in a new tab. You should see a page similar to the following:
Note: You may need to wait a few minutes for the new version of your application to replace the prior version. Refresh the page if needed to see a page similar to the above.
Click Check my progress to verify the objective.
Access User Identity Information
Examine the application files
The 2-HelloUser folder contains the same set of files as in the 1-HelloWorld folder, but two of the files have been changed: main.py and templates/index.html. The program has been changed to retrieve the user information that IAP provides in request headers, and the template now displays that data.
Run cat main.py to view the contents of the main.py file.
There are two lines in main.py that get the IAP-provided identity data:
The X-Goog-Authenticated-User- headers are provided by IAP, and the names are case-insensitive, so they could be given in all lower or all upper case if preferred. The render_template statement now includes those values so they can be displayed:
The index.html template can display those values by enclosing the names in doubled curly braces:
Hello, {{ email }}! Your persistent ID is {{ id }}.
The provided data is prefixed with accounts.google.com:, showing where the information came from. Your application can remove everything up to and including the colon to get the raw values if desired.
Congratulations!
You have learned how to use Identity Aware Proxy (IAP) to secure HTTP(s) applications deployed to Google Cloud.
Google Cloud training and certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual last updated May 8, 2025
Lab last tested May 8, 2025
Copyright 2025 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.
Lab membuat project dan resource Google Cloud untuk jangka waktu tertentu
Lab memiliki batas waktu dan tidak memiliki fitur jeda. Jika lab diakhiri, Anda harus memulainya lagi dari awal.
Di kiri atas layar, klik Start lab untuk memulai
Gunakan penjelajahan rahasia
Salin Nama Pengguna dan Sandi yang diberikan untuk lab tersebut
Klik Open console dalam mode pribadi
Login ke Konsol
Login menggunakan kredensial lab Anda. Menggunakan kredensial lain mungkin menyebabkan error atau dikenai biaya.
Setujui persyaratan, dan lewati halaman resource pemulihan
Jangan klik End lab kecuali jika Anda sudah menyelesaikan lab atau ingin mengulanginya, karena tindakan ini akan menghapus pekerjaan Anda dan menghapus project
Konten ini tidak tersedia untuk saat ini
Kami akan memberi tahu Anda melalui email saat konten tersedia
Bagus!
Kami akan menghubungi Anda melalui email saat konten tersedia
Satu lab dalam satu waktu
Konfirmasi untuk mengakhiri semua lab yang ada dan memulai lab ini
Gunakan penjelajahan rahasia untuk menjalankan lab
Gunakan jendela Samaran atau browser pribadi untuk menjalankan lab ini. Langkah ini akan mencegah konflik antara akun pribadi Anda dan akun Siswa yang dapat menyebabkan tagihan ekstra pada akun pribadi Anda.
In this lab, you will deploy a sample application and enforce the access restriction capabilities using Identity-Aware Proxy.