tessl/pypi-google-cloud-iap
Google Cloud Identity-Aware Proxy API client library for Python
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-google-cloud-iap@1.17.00
# Google Cloud Identity-Aware Proxy (IAP)
1
2
A comprehensive Python library for managing Google Cloud Identity-Aware Proxy (IAP), which enables developers to protect access to Google Cloud hosted resources and applications. The library provides programmatic access to IAP policies, OAuth brand/client management, tunnel destination groups, and authentication flows through Google's zero-trust security model.
3
4
## Package Information
5
6
- **Package Name**: google-cloud-iap
7
- **Package Type**: pypi
8
- **Language**: Python
9
- **Installation**: `pip install google-cloud-iap`
10
- **Python Support**: Python >= 3.7
11
12
## Core Imports
13
14
```python
15
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
16
from google.cloud.iap import IdentityAwareProxyOAuthServiceClient
17
```
18
19
For async clients:
20
21
```python
22
from google.cloud.iap import IdentityAwareProxyAdminServiceAsyncClient
23
from google.cloud.iap import IdentityAwareProxyOAuthServiceAsyncClient
24
```
25
26
Import data types:
27
28
```python
29
from google.cloud.iap import (
30
IapSettings,
31
AccessSettings,
32
Brand,
33
IdentityAwareProxyClient,
34
TunnelDestGroup
35
)
36
```
37
38
Import retry constants:
39
40
```python
41
from google.api_core.retry import Retry
42
from google.api_core import gapic_v1
43
44
DEFAULT = gapic_v1.method.DEFAULT # Default retry and timeout behavior
45
```
46
47
## Basic Usage
48
49
```python
50
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
51
from google.cloud.iap import GetIapSettingsRequest
52
53
# Initialize the Admin client
54
client = IdentityAwareProxyAdminServiceClient()
55
56
# Get IAP settings for a resource
57
resource_name = "projects/my-project/iap_web/compute/services/my-service"
58
request = GetIapSettingsRequest(name=resource_name)
59
settings = client.get_iap_settings(request=request)
60
61
print(f"IAP settings for {resource_name}:")
62
print(f"Access settings: {settings.access_settings}")
63
print(f"Application settings: {settings.application_settings}")
64
```
65
66
```python
67
from google.cloud.iap import IdentityAwareProxyOAuthServiceClient
68
from google.cloud.iap import ListBrandsRequest
69
70
# Initialize the OAuth client
71
oauth_client = IdentityAwareProxyOAuthServiceClient()
72
73
# List OAuth brands for a project
74
project_path = "projects/my-project"
75
request = ListBrandsRequest(parent=project_path)
76
response = oauth_client.list_brands(request=request)
77
78
for brand in response.brands:
79
print(f"Brand: {brand.name}")
80
print(f"Application title: {brand.application_title}")
81
print(f"Support email: {brand.support_email}")
82
```
83
84
### Async Client Usage
85
86
```python
87
import asyncio
88
from google.cloud.iap import IdentityAwareProxyOAuthServiceAsyncClient
89
from google.cloud.iap import ListBrandsRequest
90
91
async def list_brands_async():
92
# Initialize async OAuth client
93
async_client = IdentityAwareProxyOAuthServiceAsyncClient()
94
95
# List OAuth brands asynchronously
96
project_path = "projects/my-project"
97
request = ListBrandsRequest(parent=project_path)
98
response = await async_client.list_brands(request=request)
99
100
for brand in response.brands:
101
print(f"Brand: {brand.name}")
102
print(f"Support email: {brand.support_email}")
103
104
# Run async function
105
asyncio.run(list_brands_async())
106
```
107
108
## Architecture
109
110
The google-cloud-iap library provides two main service clients that correspond to different aspects of IAP management:
111
112
- **Admin Service**: Manages IAP settings, access policies, tunnel destination groups, and IAM permissions
113
- **OAuth Service**: Manages OAuth brands and OAuth clients for IAP authentication flows
114
115
Both services support synchronous and asynchronous operation modes, with automatic retry handling, credential management, and built-in logging capabilities for production environments.
116
117
The library follows Google Cloud client library patterns with:
118
- **Transport abstraction**: Supports gRPC and REST transports
119
- **Automatic retry**: Built-in retry logic for transient failures
120
- **Authentication**: Automatic credential discovery and management
121
- **Pagination**: Helper classes for paginated API responses
122
- **Path helpers**: Utility methods for constructing resource names
123
124
## Capabilities
125
126
### IAP Administration
127
128
Comprehensive IAP settings management including access controls, application settings, tunnel destination groups, and IAM policy operations. This includes configuring authentication methods, access restrictions, CORS settings, and custom access denied pages.
129
130
```python { .api }
131
class IdentityAwareProxyAdminServiceClient:
132
def get_iap_settings(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IapSettings: ...
133
def update_iap_settings(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IapSettings: ...
134
def validate_iap_attribute_expression(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ValidateIapAttributeExpressionResponse: ...
135
def list_tunnel_dest_groups(self, request, *, parent=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListTunnelDestGroupsPager: ...
136
def create_tunnel_dest_group(self, request, *, parent=None, tunnel_dest_group=None, tunnel_dest_group_id=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
137
def get_tunnel_dest_group(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
138
def update_tunnel_dest_group(self, request, *, tunnel_dest_group=None, update_mask=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
139
def delete_tunnel_dest_group(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> None: ...
140
```
141
142
[IAP Administration](./iap-admin.md)
143
144
### OAuth Brand and Client Management
145
146
Programmatic creation, management, and configuration of IAP OAuth brands and OAuth clients. This includes creating OAuth applications, managing client secrets, and configuring OAuth flows for IAP authentication.
147
148
```python { .api }
149
class IdentityAwareProxyOAuthServiceClient:
150
def list_brands(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListBrandsResponse: ...
151
def create_brand(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> Brand: ...
152
def get_brand(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> Brand: ...
153
def create_identity_aware_proxy_client(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
154
def list_identity_aware_proxy_clients(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListIdentityAwareProxyClientsPager: ...
155
def get_identity_aware_proxy_client(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
156
def reset_identity_aware_proxy_client_secret(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
157
def delete_identity_aware_proxy_client(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> None: ...
158
```
159
160
[OAuth Management](./oauth-management.md)
161
162
### IAM Policy Management
163
164
Standard Google Cloud IAM operations for IAP resources, including setting policies, getting policies, and testing permissions on IAP-protected resources.
165
166
```python { .api }
167
class IdentityAwareProxyAdminServiceClient:
168
def set_iam_policy(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> policy_pb2.Policy: ...
169
def get_iam_policy(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> policy_pb2.Policy: ...
170
def test_iam_permissions(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> iam_policy_pb2.TestIamPermissionsResponse: ...
171
```
172
173
[IAM Policy Management](./iam-policies.md)
174
175
## Types
176
177
### Core Configuration Types
178
179
```python { .api }
180
class IapSettings:
181
"""The IAP configurable settings."""
182
name: str
183
access_settings: AccessSettings
184
application_settings: ApplicationSettings
185
186
class AccessSettings:
187
"""Access related settings for IAP protected apps."""
188
gcip_settings: GcipSettings
189
cors_settings: CorsSettings
190
oauth_settings: OAuthSettings
191
reauth_settings: ReauthSettings
192
allowed_domains_settings: AllowedDomainsSettings
193
workforce_identity_settings: WorkforceIdentitySettings
194
identity_sources: List[IdentitySource]
195
196
class IdentitySource(Enum):
197
IDENTITY_SOURCE_UNSPECIFIED = 0
198
WORKFORCE_IDENTITY_FEDERATION = 3
199
200
class ApplicationSettings:
201
"""Wrapper over application specific settings for IAP."""
202
csm_settings: CsmSettings
203
access_denied_page_settings: AccessDeniedPageSettings
204
cookie_domain: wrappers_pb2.StringValue
205
attribute_propagation_settings: AttributePropagationSettings
206
```
207
208
### Resource Types
209
210
```python { .api }
211
class Brand:
212
"""OAuth brand data."""
213
name: str # Output only
214
support_email: str
215
application_title: str
216
org_internal_only: bool # Output only
217
218
class IdentityAwareProxyClient:
219
"""IAP OAuth client data."""
220
name: str # Output only
221
secret: str # Output only
222
display_name: str
223
224
class TunnelDestGroup:
225
"""A tunnel destination group."""
226
name: str
227
cidrs: List[str] # Optional
228
fqdns: List[str] # Optional
229
```