tessl/pypi-google-cloud-iap
Google Cloud Identity-Aware Proxy API client library for Python
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-google-cloud-iap@1.17.0index.mddocs/
Google Cloud Identity-Aware Proxy (IAP)
A comprehensive Python library for managing Google Cloud Identity-Aware Proxy (IAP), which enables developers to protect access to Google Cloud hosted resources and applications. The library provides programmatic access to IAP policies, OAuth brand/client management, tunnel destination groups, and authentication flows through Google's zero-trust security model.
Package Information
- Package Name: google-cloud-iap
- Package Type: pypi
- Language: Python
- Installation:
pip install google-cloud-iap - Python Support: Python >= 3.7
Core Imports
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
from google.cloud.iap import IdentityAwareProxyOAuthServiceClientFor async clients:
from google.cloud.iap import IdentityAwareProxyAdminServiceAsyncClient
from google.cloud.iap import IdentityAwareProxyOAuthServiceAsyncClientImport data types:
from google.cloud.iap import (
IapSettings,
AccessSettings,
Brand,
IdentityAwareProxyClient,
TunnelDestGroup
)Import retry constants:
from google.api_core.retry import Retry
from google.api_core import gapic_v1
DEFAULT = gapic_v1.method.DEFAULT # Default retry and timeout behaviorBasic Usage
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
from google.cloud.iap import GetIapSettingsRequest
# Initialize the Admin client
client = IdentityAwareProxyAdminServiceClient()
# Get IAP settings for a resource
resource_name = "projects/my-project/iap_web/compute/services/my-service"
request = GetIapSettingsRequest(name=resource_name)
settings = client.get_iap_settings(request=request)
print(f"IAP settings for {resource_name}:")
print(f"Access settings: {settings.access_settings}")
print(f"Application settings: {settings.application_settings}")from google.cloud.iap import IdentityAwareProxyOAuthServiceClient
from google.cloud.iap import ListBrandsRequest
# Initialize the OAuth client
oauth_client = IdentityAwareProxyOAuthServiceClient()
# List OAuth brands for a project
project_path = "projects/my-project"
request = ListBrandsRequest(parent=project_path)
response = oauth_client.list_brands(request=request)
for brand in response.brands:
print(f"Brand: {brand.name}")
print(f"Application title: {brand.application_title}")
print(f"Support email: {brand.support_email}")Async Client Usage
import asyncio
from google.cloud.iap import IdentityAwareProxyOAuthServiceAsyncClient
from google.cloud.iap import ListBrandsRequest
async def list_brands_async():
# Initialize async OAuth client
async_client = IdentityAwareProxyOAuthServiceAsyncClient()
# List OAuth brands asynchronously
project_path = "projects/my-project"
request = ListBrandsRequest(parent=project_path)
response = await async_client.list_brands(request=request)
for brand in response.brands:
print(f"Brand: {brand.name}")
print(f"Support email: {brand.support_email}")
# Run async function
asyncio.run(list_brands_async())Architecture
The google-cloud-iap library provides two main service clients that correspond to different aspects of IAP management:
- Admin Service: Manages IAP settings, access policies, tunnel destination groups, and IAM permissions
- OAuth Service: Manages OAuth brands and OAuth clients for IAP authentication flows
Both services support synchronous and asynchronous operation modes, with automatic retry handling, credential management, and built-in logging capabilities for production environments.
The library follows Google Cloud client library patterns with:
- Transport abstraction: Supports gRPC and REST transports
- Automatic retry: Built-in retry logic for transient failures
- Authentication: Automatic credential discovery and management
- Pagination: Helper classes for paginated API responses
- Path helpers: Utility methods for constructing resource names
Capabilities
IAP Administration
Comprehensive IAP settings management including access controls, application settings, tunnel destination groups, and IAM policy operations. This includes configuring authentication methods, access restrictions, CORS settings, and custom access denied pages.
class IdentityAwareProxyAdminServiceClient:
def get_iap_settings(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IapSettings: ...
def update_iap_settings(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IapSettings: ...
def validate_iap_attribute_expression(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ValidateIapAttributeExpressionResponse: ...
def list_tunnel_dest_groups(self, request, *, parent=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListTunnelDestGroupsPager: ...
def create_tunnel_dest_group(self, request, *, parent=None, tunnel_dest_group=None, tunnel_dest_group_id=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
def get_tunnel_dest_group(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
def update_tunnel_dest_group(self, request, *, tunnel_dest_group=None, update_mask=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
def delete_tunnel_dest_group(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> None: ...OAuth Brand and Client Management
Programmatic creation, management, and configuration of IAP OAuth brands and OAuth clients. This includes creating OAuth applications, managing client secrets, and configuring OAuth flows for IAP authentication.
class IdentityAwareProxyOAuthServiceClient:
def list_brands(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListBrandsResponse: ...
def create_brand(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> Brand: ...
def get_brand(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> Brand: ...
def create_identity_aware_proxy_client(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
def list_identity_aware_proxy_clients(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListIdentityAwareProxyClientsPager: ...
def get_identity_aware_proxy_client(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
def reset_identity_aware_proxy_client_secret(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
def delete_identity_aware_proxy_client(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> None: ...IAM Policy Management
Standard Google Cloud IAM operations for IAP resources, including setting policies, getting policies, and testing permissions on IAP-protected resources.
class IdentityAwareProxyAdminServiceClient:
def set_iam_policy(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> policy_pb2.Policy: ...
def get_iam_policy(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> policy_pb2.Policy: ...
def test_iam_permissions(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> iam_policy_pb2.TestIamPermissionsResponse: ...Types
Core Configuration Types
class IapSettings:
"""The IAP configurable settings."""
name: str
access_settings: AccessSettings
application_settings: ApplicationSettings
class AccessSettings:
"""Access related settings for IAP protected apps."""
gcip_settings: GcipSettings
cors_settings: CorsSettings
oauth_settings: OAuthSettings
reauth_settings: ReauthSettings
allowed_domains_settings: AllowedDomainsSettings
workforce_identity_settings: WorkforceIdentitySettings
identity_sources: List[IdentitySource]
class IdentitySource(Enum):
IDENTITY_SOURCE_UNSPECIFIED = 0
WORKFORCE_IDENTITY_FEDERATION = 3
class ApplicationSettings:
"""Wrapper over application specific settings for IAP."""
csm_settings: CsmSettings
access_denied_page_settings: AccessDeniedPageSettings
cookie_domain: wrappers_pb2.StringValue
attribute_propagation_settings: AttributePropagationSettingsResource Types
class Brand:
"""OAuth brand data."""
name: str # Output only
support_email: str
application_title: str
org_internal_only: bool # Output only
class IdentityAwareProxyClient:
"""IAP OAuth client data."""
name: str # Output only
secret: str # Output only
display_name: str
class TunnelDestGroup:
"""A tunnel destination group."""
name: str
cidrs: List[str] # Optional
fqdns: List[str] # Optional