or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

iam-policies.mdiap-admin.mdindex.mdoauth-management.md

index.mddocs/

0
# Google Cloud Identity-Aware Proxy (IAP)
1


2
A comprehensive Python library for managing Google Cloud Identity-Aware Proxy (IAP), which enables developers to protect access to Google Cloud hosted resources and applications. The library provides programmatic access to IAP policies, OAuth brand/client management, tunnel destination groups, and authentication flows through Google's zero-trust security model.
3


4
## Package Information
5


6
- **Package Name**: google-cloud-iap
7
- **Package Type**: pypi
8
- **Language**: Python
9
- **Installation**: `pip install google-cloud-iap`
10
- **Python Support**: Python >= 3.7
11


12
## Core Imports
13


14
```python
15
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
16
from google.cloud.iap import IdentityAwareProxyOAuthServiceClient
17
```
18


19
For async clients:
20


21
```python
22
from google.cloud.iap import IdentityAwareProxyAdminServiceAsyncClient
23
from google.cloud.iap import IdentityAwareProxyOAuthServiceAsyncClient
24
```
25


26
Import data types:
27


28
```python
29
from google.cloud.iap import (
30
    IapSettings,
31
    AccessSettings,
32
    Brand,
33
    IdentityAwareProxyClient,
34
    TunnelDestGroup
35
)
36
```
37


38
Import retry constants:
39


40
```python
41
from google.api_core.retry import Retry
42
from google.api_core import gapic_v1
43


44
DEFAULT = gapic_v1.method.DEFAULT  # Default retry and timeout behavior
45
```
46


47
## Basic Usage
48


49
```python
50
from google.cloud.iap import IdentityAwareProxyAdminServiceClient
51
from google.cloud.iap import GetIapSettingsRequest
52


53
# Initialize the Admin client
54
client = IdentityAwareProxyAdminServiceClient()
55


56
# Get IAP settings for a resource
57
resource_name = "projects/my-project/iap_web/compute/services/my-service"
58
request = GetIapSettingsRequest(name=resource_name)
59
settings = client.get_iap_settings(request=request)
60


61
print(f"IAP settings for {resource_name}:")
62
print(f"Access settings: {settings.access_settings}")
63
print(f"Application settings: {settings.application_settings}")
64
```
65


66
```python
67
from google.cloud.iap import IdentityAwareProxyOAuthServiceClient
68
from google.cloud.iap import ListBrandsRequest
69


70
# Initialize the OAuth client
71
oauth_client = IdentityAwareProxyOAuthServiceClient()
72


73
# List OAuth brands for a project
74
project_path = "projects/my-project"
75
request = ListBrandsRequest(parent=project_path)
76
response = oauth_client.list_brands(request=request)
77


78
for brand in response.brands:
79
    print(f"Brand: {brand.name}")
80
    print(f"Application title: {brand.application_title}")
81
    print(f"Support email: {brand.support_email}")
82
```
83


84
### Async Client Usage
85


86
```python
87
import asyncio
88
from google.cloud.iap import IdentityAwareProxyOAuthServiceAsyncClient
89
from google.cloud.iap import ListBrandsRequest
90


91
async def list_brands_async():
92
    # Initialize async OAuth client
93
    async_client = IdentityAwareProxyOAuthServiceAsyncClient()
94
    
95
    # List OAuth brands asynchronously
96
    project_path = "projects/my-project"
97
    request = ListBrandsRequest(parent=project_path)
98
    response = await async_client.list_brands(request=request)
99
    
100
    for brand in response.brands:
101
        print(f"Brand: {brand.name}")
102
        print(f"Support email: {brand.support_email}")
103


104
# Run async function
105
asyncio.run(list_brands_async())
106
```
107


108
## Architecture
109


110
The google-cloud-iap library provides two main service clients that correspond to different aspects of IAP management:
111


112
- **Admin Service**: Manages IAP settings, access policies, tunnel destination groups, and IAM permissions
113
- **OAuth Service**: Manages OAuth brands and OAuth clients for IAP authentication flows
114


115
Both services support synchronous and asynchronous operation modes, with automatic retry handling, credential management, and built-in logging capabilities for production environments.
116


117
The library follows Google Cloud client library patterns with:
118
- **Transport abstraction**: Supports gRPC and REST transports
119
- **Automatic retry**: Built-in retry logic for transient failures  
120
- **Authentication**: Automatic credential discovery and management
121
- **Pagination**: Helper classes for paginated API responses
122
- **Path helpers**: Utility methods for constructing resource names
123


124
## Capabilities
125


126
### IAP Administration
127


128
Comprehensive IAP settings management including access controls, application settings, tunnel destination groups, and IAM policy operations. This includes configuring authentication methods, access restrictions, CORS settings, and custom access denied pages.
129


130
```python { .api }
131
class IdentityAwareProxyAdminServiceClient:
132
    def get_iap_settings(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IapSettings: ...
133
    def update_iap_settings(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IapSettings: ...
134
    def validate_iap_attribute_expression(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ValidateIapAttributeExpressionResponse: ...
135
    def list_tunnel_dest_groups(self, request, *, parent=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListTunnelDestGroupsPager: ...
136
    def create_tunnel_dest_group(self, request, *, parent=None, tunnel_dest_group=None, tunnel_dest_group_id=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
137
    def get_tunnel_dest_group(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
138
    def update_tunnel_dest_group(self, request, *, tunnel_dest_group=None, update_mask=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> TunnelDestGroup: ...
139
    def delete_tunnel_dest_group(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> None: ...
140
```
141


142
[IAP Administration](./iap-admin.md)
143


144
### OAuth Brand and Client Management
145


146
Programmatic creation, management, and configuration of IAP OAuth brands and OAuth clients. This includes creating OAuth applications, managing client secrets, and configuring OAuth flows for IAP authentication.
147


148
```python { .api }
149
class IdentityAwareProxyOAuthServiceClient:
150
    def list_brands(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListBrandsResponse: ...
151
    def create_brand(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> Brand: ...
152
    def get_brand(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> Brand: ...
153
    def create_identity_aware_proxy_client(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
154
    def list_identity_aware_proxy_clients(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> ListIdentityAwareProxyClientsPager: ...
155
    def get_identity_aware_proxy_client(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
156
    def reset_identity_aware_proxy_client_secret(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> IdentityAwareProxyClient: ...
157
    def delete_identity_aware_proxy_client(self, request, *, name=None, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> None: ...
158
```
159


160
[OAuth Management](./oauth-management.md)
161


162
### IAM Policy Management
163


164
Standard Google Cloud IAM operations for IAP resources, including setting policies, getting policies, and testing permissions on IAP-protected resources.
165


166
```python { .api }
167
class IdentityAwareProxyAdminServiceClient:
168
    def set_iam_policy(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> policy_pb2.Policy: ...
169
    def get_iam_policy(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> policy_pb2.Policy: ...
170
    def test_iam_permissions(self, request, *, retry=DEFAULT, timeout=DEFAULT, metadata=()) -> iam_policy_pb2.TestIamPermissionsResponse: ...
171
```
172


173
[IAM Policy Management](./iam-policies.md)
174


175
## Types
176


177
### Core Configuration Types
178


179
```python { .api }
180
class IapSettings:
181
    """The IAP configurable settings."""
182
    name: str
183
    access_settings: AccessSettings
184
    application_settings: ApplicationSettings
185


186
class AccessSettings:
187
    """Access related settings for IAP protected apps."""
188
    gcip_settings: GcipSettings
189
    cors_settings: CorsSettings
190
    oauth_settings: OAuthSettings
191
    reauth_settings: ReauthSettings
192
    allowed_domains_settings: AllowedDomainsSettings
193
    workforce_identity_settings: WorkforceIdentitySettings
194
    identity_sources: List[IdentitySource]
195
    
196
    class IdentitySource(Enum):
197
        IDENTITY_SOURCE_UNSPECIFIED = 0
198
        WORKFORCE_IDENTITY_FEDERATION = 3
199


200
class ApplicationSettings:
201
    """Wrapper over application specific settings for IAP."""
202
    csm_settings: CsmSettings
203
    access_denied_page_settings: AccessDeniedPageSettings
204
    cookie_domain: wrappers_pb2.StringValue
205
    attribute_propagation_settings: AttributePropagationSettings
206
```
207


208
### Resource Types
209


210
```python { .api }
211
class Brand:
212
    """OAuth brand data."""
213
    name: str  # Output only
214
    support_email: str
215
    application_title: str
216
    org_internal_only: bool  # Output only
217


218
class IdentityAwareProxyClient:
219
    """IAP OAuth client data."""
220
    name: str  # Output only
221
    secret: str  # Output only
222
    display_name: str
223


224
class TunnelDestGroup:
225
    """A tunnel destination group."""
226
    name: str
227
    cidrs: List[str]  # Optional
228
    fqdns: List[str]  # Optional
229
```