CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-google-cloud-iap

Google Cloud Identity-Aware Proxy API client library for Python

Pending
Overview
Eval results
Files

iam-policies.mddocs/

IAM Policy Management

Standard Google Cloud IAM operations for IAP resources, enabling programmatic management of access policies, permissions, and role bindings for IAP-protected resources. This includes setting policies for who can access IAP-protected applications and what permissions they have.

Capabilities

IAM Policy Operations

Manage IAM policies for IAP-protected resources using standard Google Cloud IAM operations. These methods allow you to control access to IAP-protected applications by managing user and group permissions.

def set_iam_policy(
    self,
    request: iam_policy_pb2.SetIamPolicyRequest,
    *,
    retry=DEFAULT,
    timeout=DEFAULT,
    metadata=()
) -> policy_pb2.Policy:
    """
    Sets the access control policy for an IAP protected resource.
    
    Args:
        request: The request object containing the resource and policy.
        retry: Designation of what errors should be retried.
        timeout: The timeout for this request.
        metadata: Strings which should be sent along with the request.
        
    Returns:
        The IAM policy that was set on the resource.
    """

def get_iam_policy(
    self,
    request: iam_policy_pb2.GetIamPolicyRequest,
    *,
    retry=DEFAULT,
    timeout=DEFAULT,
    metadata=()
) -> policy_pb2.Policy:
    """
    Gets the access control policy for an IAP protected resource.
    
    Args:
        request: The request object containing the resource name.
        retry: Designation of what errors should be retried.
        timeout: The timeout for this request.
        metadata: Strings which should be sent along with the request.
        
    Returns:
        The current IAM policy for the resource.
    """

def test_iam_permissions(
    self,
    request: iam_policy_pb2.TestIamPermissionsRequest,
    *,
    retry=DEFAULT,
    timeout=DEFAULT,
    metadata=()
) -> iam_policy_pb2.TestIamPermissionsResponse:
    """
    Returns permissions that a caller has on the IAP protected resource.
    
    Args:
        request: The request object containing resource and permissions to test.
        retry: Designation of what errors should be retried.
        timeout: The timeout for this request.
        metadata: Strings which should be sent along with the request.
        
    Returns:
        The permissions that the caller has on the resource.
    """

Example usage:

from google.cloud.iap import IdentityAwareProxyAdminServiceClient
from google.iam.v1 import iam_policy_pb2, policy_pb2

client = IdentityAwareProxyAdminServiceClient()

# Resource name for IAP-protected service
resource_name = "projects/my-project/iap_web/compute/services/my-service"

# Get current IAM policy
get_policy_request = iam_policy_pb2.GetIamPolicyRequest(
    resource=resource_name
)

current_policy = client.get_iam_policy(request=get_policy_request)
print(f"Current policy version: {current_policy.version}")
print(f"Current bindings: {len(current_policy.bindings)}")

# Add a new role binding
new_binding = policy_pb2.Binding(
    role="roles/iap.httpsResourceAccessor",
    members=[
        "user:alice@example.com",
        "group:iap-users@example.com"
    ]
)

current_policy.bindings.append(new_binding)

# Set the updated policy
set_policy_request = iam_policy_pb2.SetIamPolicyRequest(
    resource=resource_name,
    policy=current_policy
)

updated_policy = client.set_iam_policy(request=set_policy_request)
print(f"Updated policy with {len(updated_policy.bindings)} bindings")

# Test specific permissions
test_permissions_request = iam_policy_pb2.TestIamPermissionsRequest(
    resource=resource_name,
    permissions=[
        "iap.webServiceVersions.accessViaIAP",
        "iap.webServices.getIamPolicy"
    ]
)

permissions_response = client.test_iam_permissions(request=test_permissions_request)
print(f"Caller has permissions: {permissions_response.permissions}")

IAP-Specific IAM Roles

When working with IAP IAM policies, you'll commonly use these IAP-specific roles:

Web-based IAP Roles

  • roles/iap.httpsResourceAccessor: Access to web-based applications protected by IAP
  • roles/iap.webServiceViewer: View IAP-protected web services
  • roles/iap.settingsAdmin: Administer IAP settings

Tunnel/TCP IAP Roles

  • roles/iap.tunnelResourceAccessor: Access to resources through IAP TCP forwarding
  • roles/iap.tunnelDestGroupAdmin: Administer tunnel destination groups

General IAP Roles

  • roles/iap.admin: Full administrative access to IAP
  • roles/iap.policyAdmin: Administer IAP access policies

Example with specific IAP roles:

from google.cloud.iap import IdentityAwareProxyAdminServiceClient
from google.iam.v1 import iam_policy_pb2, policy_pb2

client = IdentityAwareProxyAdminServiceClient()
resource_name = "projects/my-project/iap_web/compute/services/my-service"

# Create policy with IAP-specific roles
policy = policy_pb2.Policy(
    version=3,  # Use version 3 for conditional bindings
    bindings=[
        policy_pb2.Binding(
            role="roles/iap.httpsResourceAccessor",
            members=[
                "user:user1@example.com",
                "user:user2@example.com"
            ]
        ),
        policy_pb2.Binding(
            role="roles/iap.settingsAdmin",
            members=["group:iap-admins@example.com"]
        ),
        policy_pb2.Binding(
            role="roles/iap.webServiceViewer",
            members=["serviceAccount:monitoring@my-project.iam.gserviceaccount.com"]
        )
    ]
)

# Set the policy
set_request = iam_policy_pb2.SetIamPolicyRequest(
    resource=resource_name,
    policy=policy
)

result = client.set_iam_policy(request=set_request)
print(f"Set IAP policy with {len(result.bindings)} role bindings")

Conditional IAM Policies

IAP supports conditional IAM policies (IAM Conditions) that allow fine-grained access control based on attributes like time, location, or custom attributes.

from google.cloud.iap import IdentityAwareProxyAdminServiceClient
from google.iam.v1 import iam_policy_pb2, policy_pb2
from google.type import expr_pb2

client = IdentityAwareProxyAdminServiceClient()
resource_name = "projects/my-project/iap_web/compute/services/my-service"

# Create conditional binding - only allow access during business hours
business_hours_condition = expr_pb2.Expr(
    title="Business hours only",
    description="Allow access only during business hours (9 AM to 5 PM UTC)",
    expression='''
        request.time.getHours() >= 9 && request.time.getHours() < 17
    '''
)

conditional_binding = policy_pb2.Binding(
    role="roles/iap.httpsResourceAccessor",
    members=["group:contractors@example.com"],
    condition=business_hours_condition
)

# Create policy with conditional binding
policy = policy_pb2.Policy(
    version=3,  # Version 3 required for conditions
    bindings=[conditional_binding]
)

set_request = iam_policy_pb2.SetIamPolicyRequest(
    resource=resource_name,
    policy=policy
)

result = client.set_iam_policy(request=set_request)
print("Set conditional IAM policy for business hours access")

Types

Request Types (from google.iam.v1)

class SetIamPolicyRequest:
    """Request message for SetIamPolicy."""
    resource: str  # Resource name
    policy: policy_pb2.Policy  # Policy to set
    update_mask: field_mask_pb2.FieldMask  # Optional mask for partial updates

class GetIamPolicyRequest:
    """Request message for GetIamPolicy."""
    resource: str  # Resource name
    options: GetPolicyOptions  # Optional policy options

class TestIamPermissionsRequest:
    """Request message for TestIamPermissions."""
    resource: str  # Resource name
    permissions: List[str]  # Permissions to test

Response Types (from google.iam.v1)

class TestIamPermissionsResponse:
    """Response message for TestIamPermissions."""
    permissions: List[str]  # Permissions the caller has

Policy Types (from google.iam.v1)

class Policy:
    """IAM policy definition."""
    version: int  # Policy language version
    bindings: List[Binding]  # Role bindings
    audit_configs: List[AuditConfig]  # Audit configuration
    etag: bytes  # Concurrency control

class Binding:
    """Associates members with a role."""
    role: str  # Role name (e.g., "roles/iap.httpsResourceAccessor")  
    members: List[str]  # Members (users, groups, service accounts)
    condition: expr_pb2.Expr  # Optional conditional expression

class AuditConfig:
    """Audit configuration for a service."""
    service: str  # Service name
    audit_log_configs: List[AuditLogConfig]  # Audit log configurations

class AuditLogConfig:
    """Configuration for audit logging."""
    log_type: LogType  # Type of audit log
    exempted_members: List[str]  # Members exempt from logging
    
    class LogType(Enum):
        LOG_TYPE_UNSPECIFIED = 0
        ADMIN_READ = 1
        DATA_WRITE = 2
        DATA_READ = 3

Common IAP Permissions

When using test_iam_permissions, these are common IAP permissions you might test:

  • iap.webServiceVersions.accessViaIAP: Access web application via IAP
  • iap.webServices.getIamPolicy: View IAM policy for web service
  • iap.webServices.setIamPolicy: Modify IAM policy for web service
  • iap.webTypes.getIamPolicy: View IAM policy for web resource type
  • iap.webTypes.setIamPolicy: Modify IAM policy for web resource type
  • iap.tunnelInstances.accessViaIAP: Access compute instance via IAP tunnel
  • iap.tunnelZones.getIamPolicy: View IAM policy for tunnel zone
  • iap.tunnelZones.setIamPolicy: Modify IAM policy for tunnel zone

Install with Tessl CLI

npx tessl i tessl/pypi-google-cloud-iap

docs

iam-policies.md

iap-admin.md

index.md

oauth-management.md

tile.json