-
GCP project: project-id-1234 -
GAE region: asia-northeast1
-
Set up environment variables. export PROJECT=project-id-1234 export REGION=asia-northeast1 -
Setup your gcloud gcloud config configurations create iap-user-profile gcloud config set project $PROJECT -
Create GAE application. gcloud app create --region= $REGION -
Enable required APIs gcloud services enable \ iap.googleapis.com \ secretmanager.googleapis.com \ cloudresourcemanager.googleapis.com \ people.googleapis.com -
Deploy this sample application. This will become the default service.
Note: IAP can only be enabled when there is already a service deployed in GAE. cd professional-services/examples/iap-user-profile/ gcloud app deploy --quiet -
Configure Consent Screen on the below link
https://console.cloud.google.com/apis/credentials/consent?project=project -id-1234 -
Choose Internal for the User Type , then click Create -
Type in the Application name , e.g. IAP User Profile Example -
Choose the appropriate Support email . Alternatively, you can leave it to use your own email. -
Fill in the Authorized domains based on your GAE application domain, e.g. -
project-id-1234.an.r.appspot.com
-
-
Click Save
-
-
Enable IAP on the below link for the App Engine app . Toggle on the button and then click Turn On .
https://console.cloud.google.com/security/iap?project=project -id-1234 -
Add IAM policy binding to the IAP-enabled App Engine application. Register your user email to access the application. gcloud iap web add-iam-policy-binding --resource-type=app-engine \ --member= ' user: your-user@domain.com ' \ --role= ' roles/iap.httpsResourceAccessor ' -
Create new Credentials on the below link. This credential will be used by the OAuth2 login flow to retrieve the user profile.
https://console.cloud.google.com/apis/credentials?project=project -id-1234 -
Click Create Credentials . Choose OAuth client ID . -
Choose Web application for the Application type -
Type in IAP User Profile Svc for the Name -
Fill in the Authorized JavaScript origins -
Fill in the Authorized redirect URIs -
Click Create -
Click the newly created IAP User Profile Example credential and then click the Download JSON button. You'll need to paste the JSON content later as secret in the Secret Manager.
-
-
Create a secret in Secret Manager named iap-user-profile-svc-oauth2-client with the client credential JSON file as the value. gcloud secrets create iap-user-profile-svc-oauth2-client \ --locations=asia-southeast1 --replication-policy=user-managed \ --data-file=/path-to/client_secret.json -
Add IAM policy binding to the secret for GAE default service account. gcloud secrets add-iam-policy-binding iap-user-profile-svc-oauth2-client \ --member= ' serviceAccount: project-id-1234@appspot.gserviceaccount.com ' \ --role= ' roles/secretmanager.secretAccessor '
-
Access the application in your browser.
Note: If you are accessing it first time, it may take some time before the policy takes effect. Retry several times until you are prompted the OAuth login screen.
https://project-id-1234.an.r.appspot.com/ -
You will be prompted the OAuth login one more time.
This is intended since we are going to use this scope to access your People API. -
You should be able to see your user profile displayed on the web page.