0
# IAP Administration
1
2
Comprehensive management of Identity-Aware Proxy settings, access controls, tunnel destination groups, and validation utilities. This service enables programmatic configuration of IAP policies, access restrictions, and security settings for protected resources.
3
4
## Capabilities
5
6
### IAP Settings Management
7
8
Retrieve and update IAP configuration settings for protected resources, including access controls, application settings, and security policies.
9
10
```python { .api }
11
def get_iap_settings(
12
self,
13
request: GetIapSettingsRequest,
14
*,
15
retry=DEFAULT,
16
timeout=DEFAULT,
17
metadata=()
18
) -> IapSettings:
19
"""
20
Gets the IAP settings on a particular IAP protected resource.
21
22
Args:
23
request: The request object containing the resource name.
24
retry: Designation of what errors should be retried.
25
timeout: The timeout for this request.
26
metadata: Strings which should be sent along with the request.
27
28
Returns:
29
The current IAP settings for the specified resource.
30
"""
31
32
def update_iap_settings(
33
self,
34
request: UpdateIapSettingsRequest,
35
*,
36
retry=DEFAULT,
37
timeout=DEFAULT,
38
metadata=()
39
) -> IapSettings:
40
"""
41
Updates the IAP settings on a particular IAP protected resource.
42
43
Args:
44
request: The request object containing the settings to update.
45
retry: Designation of what errors should be retried.
46
timeout: The timeout for this request.
47
metadata: Strings which should be sent along with the request.
48
49
Returns:
50
The updated IAP settings.
51
"""
52
```
53
54
Example usage:
55
56
```python
57
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
58
from google.cloud.iap import GetIapSettingsRequest, UpdateIapSettingsRequest
59
from google.cloud.iap import IapSettings, AccessSettings, ReauthSettings
60
from google.protobuf import field_mask_pb2
61
from google.protobuf import duration_pb2
62
63
client = IdentityAwareProxyAdminServiceClient()
64
65
# Get current IAP settings
66
resource_name = "projects/my-project/iap_web/compute/services/my-service"
67
get_request = GetIapSettingsRequest(name=resource_name)
68
current_settings = client.get_iap_settings(request=get_request)
69
70
# Update reauthentication settings
71
reauth_settings = ReauthSettings(
72
method=ReauthSettings.Method.PASSWORD,
73
max_age=duration_pb2.Duration(seconds=3600), # 1 hour
74
policy_type=ReauthSettings.PolicyType.MINIMUM
75
)
76
77
access_settings = AccessSettings(reauth_settings=reauth_settings)
78
updated_settings = IapSettings(
79
name=resource_name,
80
access_settings=access_settings
81
)
82
83
# Create update mask to specify which fields to update
84
update_mask = field_mask_pb2.FieldMask(
85
paths=["access_settings.reauth_settings"]
86
)
87
88
update_request = UpdateIapSettingsRequest(
89
iap_settings=updated_settings,
90
update_mask=update_mask
91
)
92
93
result = client.update_iap_settings(request=update_request)
94
```
95
96
### Attribute Expression Validation
97
98
Validate IAP attribute expressions before applying them to configurations.
99
100
```python { .api }
101
def validate_iap_attribute_expression(
102
self,
103
request: ValidateIapAttributeExpressionRequest,
104
*,
105
retry=DEFAULT,
106
timeout=DEFAULT,
107
metadata=()
108
) -> ValidateIapAttributeExpressionResponse:
109
"""
110
Validates that a given CEL expression conforms to IAP restrictions.
111
112
Args:
113
request: The request object containing the expression to validate.
114
retry: Designation of what errors should be retried.
115
timeout: The timeout for this request.
116
metadata: Strings which should be sent along with the request.
117
118
Returns:
119
Empty response indicating validation success or failure.
120
"""
121
```
122
123
### Tunnel Destination Group Management
124
125
Manage tunnel destination groups that define sets of destinations accessible through IAP TCP forwarding.
126
127
```python { .api }
128
def list_tunnel_dest_groups(
129
self,
130
request: ListTunnelDestGroupsRequest,
131
*,
132
parent: str = None,
133
retry=DEFAULT,
134
timeout=DEFAULT,
135
metadata=()
136
) -> ListTunnelDestGroupsPager:
137
"""
138
Lists the existing TunnelDestGroups.
139
140
Args:
141
request: The request object containing the parent project and location.
142
parent: The resource path of the parent project and location.
143
retry: Designation of what errors should be retried.
144
timeout: The timeout for this request.
145
metadata: Strings which should be sent along with the request.
146
147
Returns:
148
A pager for iterating through tunnel destination groups.
149
"""
150
151
def create_tunnel_dest_group(
152
self,
153
request: CreateTunnelDestGroupRequest,
154
*,
155
parent: str = None,
156
tunnel_dest_group: TunnelDestGroup = None,
157
tunnel_dest_group_id: str = None,
158
retry=DEFAULT,
159
timeout=DEFAULT,
160
metadata=()
161
) -> TunnelDestGroup:
162
"""
163
Creates a new TunnelDestGroup.
164
165
Args:
166
request: The request object.
167
parent: The resource path of the parent project and location.
168
tunnel_dest_group: The TunnelDestGroup to create.
169
tunnel_dest_group_id: The ID to use for the tunnel destination group.
170
retry: Designation of what errors should be retried.
171
timeout: The timeout for this request.
172
metadata: Strings which should be sent along with the request.
173
174
Returns:
175
The created tunnel destination group.
176
"""
177
178
def get_tunnel_dest_group(
179
self,
180
request: GetTunnelDestGroupRequest,
181
*,
182
name: str = None,
183
retry=DEFAULT,
184
timeout=DEFAULT,
185
metadata=()
186
) -> TunnelDestGroup:
187
"""
188
Retrieves an existing TunnelDestGroup.
189
190
Args:
191
request: The request object.
192
name: The resource name of the tunnel destination group.
193
retry: Designation of what errors should be retried.
194
timeout: The timeout for this request.
195
metadata: Strings which should be sent along with the request.
196
197
Returns:
198
The requested tunnel destination group.
199
"""
200
201
def update_tunnel_dest_group(
202
self,
203
request: UpdateTunnelDestGroupRequest,
204
*,
205
tunnel_dest_group: TunnelDestGroup = None,
206
update_mask: field_mask_pb2.FieldMask = None,
207
retry=DEFAULT,
208
timeout=DEFAULT,
209
metadata=()
210
) -> TunnelDestGroup:
211
"""
212
Updates an existing TunnelDestGroup.
213
214
Args:
215
request: The request object.
216
tunnel_dest_group: The TunnelDestGroup to update.
217
update_mask: Field mask to specify which fields to update.
218
retry: Designation of what errors should be retried.
219
timeout: The timeout for this request.
220
metadata: Strings which should be sent along with the request.
221
222
Returns:
223
The updated tunnel destination group.
224
"""
225
226
def delete_tunnel_dest_group(
227
self,
228
request: DeleteTunnelDestGroupRequest,
229
*,
230
name: str = None,
231
retry=DEFAULT,
232
timeout=DEFAULT,
233
metadata=()
234
) -> None:
235
"""
236
Deletes a TunnelDestGroup.
237
238
Args:
239
request: The request object.
240
name: The resource name of the tunnel destination group to delete.
241
retry: Designation of what errors should be retried.
242
timeout: The timeout for this request.
243
metadata: Strings which should be sent along with the request.
244
"""
245
```
246
247
Example usage:
248
249
```python
250
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
251
from google.cloud.iap import (
252
ListTunnelDestGroupsRequest,
253
CreateTunnelDestGroupRequest,
254
TunnelDestGroup
255
)
256
257
client = IdentityAwareProxyAdminServiceClient()
258
parent = "projects/my-project/locations/global"
259
260
# List existing tunnel destination groups
261
list_request = ListTunnelDestGroupsRequest(parent=parent)
262
for group in client.list_tunnel_dest_groups(request=list_request):
263
print(f"Tunnel group: {group.name}")
264
print(f"CIDRs: {group.cidrs}")
265
print(f"FQDNs: {group.fqdns}")
266
267
# Create a new tunnel destination group
268
new_group = TunnelDestGroup(
269
cidrs=["10.0.0.0/24", "192.168.1.0/24"],
270
fqdns=["internal.example.com", "db.example.com"]
271
)
272
273
create_request = CreateTunnelDestGroupRequest(
274
parent=parent,
275
tunnel_dest_group=new_group,
276
tunnel_dest_group_id="my-tunnel-group"
277
)
278
279
created_group = client.create_tunnel_dest_group(request=create_request)
280
print(f"Created tunnel group: {created_group.name}")
281
```
282
283
## Types
284
285
### Request Types
286
287
```python { .api }
288
class GetIapSettingsRequest:
289
"""Request message for GetIapSettings."""
290
name: str # Resource name
291
292
class UpdateIapSettingsRequest:
293
"""Request message for UpdateIapSettings."""
294
iap_settings: IapSettings
295
update_mask: field_mask_pb2.FieldMask
296
297
class ValidateIapAttributeExpressionRequest:
298
"""Request message for ValidateIapAttributeExpression."""
299
name: str # Resource name
300
expression: str # CEL expression to validate
301
302
class ListTunnelDestGroupsRequest:
303
"""Request message for ListTunnelDestGroups."""
304
parent: str # Parent project and location
305
page_size: int # Maximum number of results per page
306
page_token: str # Token for next page
307
308
class CreateTunnelDestGroupRequest:
309
"""Request message for CreateTunnelDestGroup."""
310
parent: str
311
tunnel_dest_group: TunnelDestGroup
312
tunnel_dest_group_id: str
313
314
class GetTunnelDestGroupRequest:
315
"""Request message for GetTunnelDestGroup."""
316
name: str # Resource name
317
318
class UpdateTunnelDestGroupRequest:
319
"""Request message for UpdateTunnelDestGroup."""
320
tunnel_dest_group: TunnelDestGroup
321
update_mask: field_mask_pb2.FieldMask
322
323
class DeleteTunnelDestGroupRequest:
324
"""Request message for DeleteTunnelDestGroup."""
325
name: str # Resource name
326
```
327
328
### Response Types
329
330
```python { .api }
331
class ValidateIapAttributeExpressionResponse:
332
"""Response message for ValidateIapAttributeExpression (empty)."""
333
pass
334
335
class ListTunnelDestGroupsResponse:
336
"""Response message for ListTunnelDestGroups."""
337
tunnel_dest_groups: List[TunnelDestGroup]
338
next_page_token: str
339
```
340
341
### Configuration Detail Types
342
343
```python { .api }
344
class GcipSettings:
345
"""GCIP tenant configuration."""
346
tenant_ids: List[str]
347
login_page_uri: wrappers_pb2.StringValue
348
349
class CorsSettings:
350
"""CORS configuration."""
351
allow_http_options: wrappers_pb2.BoolValue
352
353
class OAuthSettings:
354
"""OAuth configuration."""
355
login_hint: wrappers_pb2.StringValue
356
programmatic_clients: List[str]
357
358
class ReauthSettings:
359
"""Reauthentication configuration."""
360
method: Method
361
max_age: duration_pb2.Duration
362
policy_type: PolicyType
363
364
class Method(Enum):
365
METHOD_UNSPECIFIED = 0
366
LOGIN = 1
367
PASSWORD = 2
368
SECURE_KEY = 3
369
ENROLLED_SECOND_FACTORS = 4
370
371
class PolicyType(Enum):
372
POLICY_TYPE_UNSPECIFIED = 0
373
MINIMUM = 1
374
DEFAULT = 2
375
376
class AllowedDomainsSettings:
377
"""Domain restriction settings."""
378
enable: bool # Optional
379
domains: List[str]
380
381
class WorkforceIdentitySettings:
382
"""Workforce identity configuration."""
383
workforce_pools: List[str]
384
oauth2: OAuth2
385
386
class OAuth2:
387
"""OAuth 2.0 settings."""
388
client_id: str
389
client_secret: str # Input only
390
client_secret_sha256: str # Output only
391
392
class CsmSettings:
393
"""Service mesh configuration."""
394
rctoken_aud: wrappers_pb2.StringValue
395
396
class AccessDeniedPageSettings:
397
"""Custom access denied page configuration."""
398
access_denied_page_uri: wrappers_pb2.StringValue
399
generate_troubleshooting_uri: wrappers_pb2.BoolValue
400
remediation_token_generation_enabled: wrappers_pb2.BoolValue # Optional
401
402
class AttributePropagationSettings:
403
"""Attribute propagation configuration."""
404
expression: str # Optional CEL expression
405
output_credentials: List[OutputCredentials]
406
enable: bool # Optional
407
408
class OutputCredentials(Enum):
409
OUTPUT_CREDENTIALS_UNSPECIFIED = 0
410
HEADER = 1
411
JWT = 2
412
RCTOKEN = 3
413
```
414
415
## Path Helper Methods
416
417
```python { .api }
418
@staticmethod
419
def tunnel_dest_group_path(project: str, location: str, dest_group: str) -> str:
420
"""Return a fully-qualified tunnel_dest_group string."""
421
422
@staticmethod
423
def parse_tunnel_dest_group_path(path: str) -> Dict[str, str]:
424
"""Parse a tunnel_dest_group path into its component segments."""
425
426
@staticmethod
427
def tunnel_location_path(project: str, location: str) -> str:
428
"""Return a fully-qualified tunnel_location string."""
429
430
@staticmethod
431
def parse_tunnel_location_path(path: str) -> Dict[str, str]:
432
"""Parse a tunnel_location path into its component segments."""
433
434
@staticmethod
435
def common_project_path(project: str) -> str:
436
"""Return a fully-qualified project string."""
437
438
@staticmethod
439
def parse_common_project_path(path: str) -> Dict[str, str]:
440
"""Parse a project path into its component segments."""
441
442
@staticmethod
443
def common_location_path(project: str, location: str) -> str:
444
"""Return a fully-qualified location string."""
445
446
@staticmethod
447
def parse_common_location_path(path: str) -> Dict[str, str]:
448
"""Parse a location path into its component segments."""
449
```
450
451
## Pager Classes
452
453
### ListTunnelDestGroupsPager
454
455
```python { .api }
456
class ListTunnelDestGroupsPager:
457
"""A pager for iterating through list_tunnel_dest_groups requests."""
458
459
@property
460
def pages(self):
461
"""Iterator of pages in the response."""
462
463
def __iter__(self):
464
"""Iterator over TunnelDestGroup resources."""
465
466
def __getattr__(self, name):
467
"""Access to response attributes."""
468
```
469
470
### ListTunnelDestGroupsAsyncPager
471
472
```python { .api }
473
class ListTunnelDestGroupsAsyncPager:
474
"""Async pager for iterating through list_tunnel_dest_groups requests."""
475
476
@property
477
def pages(self):
478
"""AsyncIterator of pages in the response."""
479
480
def __aiter__(self):
481
"""AsyncIterator over TunnelDestGroup resources."""
482
```