Centralize access to your organization’s websites with Identity Aware Proxy (IAP)
Рет қаралды 24,611
Күн бұрынControlling access to websites and apps → goo.gle/2LVC0jD
Control access to your web sites with Identity-Aware Proxy → goo.gle/3o5x5cN
Most large organizations have multiple web systems, from public websites to internal tools used by employees, built on multiple technical platforms. Access control is often fragmented. But there is a better way. In this episode of Serverless Expeditions, we demo how to configure Identity Aware Proxy (IAP) on App Engine, allowing you to seamlessly and securely grant access to internal and external websites.
Timestamps:
1:00 Use cases supported by IAP
4:18 Architecture overview
10:20 Setting up public access
12:55 Setting up public access, but with authentication
18:10 Setting up access for employees only
21:15 Setting up access for employees on secure devices only
Checkout more episodes of Serverless Expeditions → goo.gle/ServerlessExpeditions
Subscribe to get all the episodes as they come out → goo.gle/GCP
#ServerlessExpeditions #ServerlessExpeditionsExtended
Product: IAP, App Engine; fullname: Martin Omander, Charlie Engelke;
@vibha7860 3 жыл бұрын
This sort live demo and use-case based video tutorials are a lot better than definitions and documents. Thanks to the presenters for a clear and precise explanation.
@adeoke3086 3 жыл бұрын
This is how you enable people to learn. Fantastic explanation, with very realistic and valid questions, at a pace, that the average person can understand. Keep up the good work!
@ThiliRocks Жыл бұрын
One of the best demos and explanatory videos out there from Google. This is an example how demos should be. It really illustrates the capabilities of IAP with real world examples. Question Answer technique really helps.
@TheMomander Жыл бұрын
Thank you for the kind words. Happy to hear the video was helpful!
@giuseppepizzichemi5194 3 жыл бұрын
excellent exposure, clear, short and easy to reproduce. Thanks so much
@googlecloudtech 3 жыл бұрын
You're very welcome!
@josesanguino535 2 жыл бұрын
Thanks Martin/Charly, for me, this is the best way to learn. Practical, easy, clear and short. Great.
@TheMomander Жыл бұрын
Happy to hear the video was useful to you José!
@MrRobinkv 2 жыл бұрын
Awesome, exact solution which I was looking for. Thank you gentlemen for publishing this in KZfaq !!!
@MatteoBucci95 3 жыл бұрын
I was just looking for complete my preparation for a GCP certification but wow, this is impressive!
@nicolasconnor8622 3 жыл бұрын
One of the best demos I've seen
@Babbili Жыл бұрын
Best video, i'll do that with Cloud Run and a Load Balancer to allow only our employees for an admin dashboard
@farrukhijaz 3 жыл бұрын
Best video I have seen on IAP👌
@googlecloudtech 3 жыл бұрын
Thanks!
@kevinfeng2027 2 жыл бұрын
fantastic presentation
@SumitKumar-rj5qr Жыл бұрын
Wow this is great tutorial with an amazing real time example. Love it. Keep gookgn
@revivalmink1078 3 жыл бұрын
Very well explained and articulated. Thanks!
@googlecloudtech 3 жыл бұрын
You're very welcome!
@ymartino1790 3 жыл бұрын
Thanks Charlie, great job in explaining those details. I needed this service about three months ago but I found myself difficult to digest and understand all the info by just simply reading from IAP docs. This kind of ‘medium duration’ explainer video is what I really need to fully grasp the possible applicable use cases, not the one with the video title ‘in one minute’ explainer video. Thanks for uploading this guys! 👏🏽
@TheMomander 3 жыл бұрын
We are happy the video was useful to you! If there are other areas where the docs are hard to digest and a video would help, please let us know!
@ymartino1790 3 жыл бұрын
@@TheMomander Thanks for responding. For some of us (this includes me and my role in my company) would probably avoid to read the full doc about certain topic whenever possible since we intend to find; answers, a (demonstrated) simple use case, and a practical ‘how to do it’ on the gcp console within a short amount of screen time spent possible while most of the time we also tend to skip reading ; the overview, whitepapers, and NEXT session videos. This type of medium duration explainer (with clickable timestamps) convey and addressed what I need perfectly. If I may suggest, having this type of video episode added to the very first page of the corresponding doc (right below the overview section paragraph) would certainly helps others in absorbing the info about the product/solution a lot faster rather than asking the readers to navigate from one page to another which I personally find that I don’t always get my questions or ‘how to’ search easily getting answered 🙂
@charlieengelke 3 жыл бұрын
Thanks for your comment; it made my day.
@sholesshoe 3 жыл бұрын
This is a great tutorial!
@beckychiang2667 Жыл бұрын
Very nice video!
@AnshumanKumar007 Жыл бұрын
Pretty good. Much more engaging than the docs.
@TheMomander Жыл бұрын
We're happy to hear that you found the video useful, Anshuman!
@arbazhundekar3898 2 жыл бұрын
Can you please tell me if we can do a similar setup for Cloud Run for authentication purpose
@saurabhdeshwar5693 2 жыл бұрын
Hey thanks for sharing the details. Though one question.. how IAP is making use of Identity platform as explained in flow diagram?
@TheMomander Жыл бұрын
The Cloud Run + IAP integration has now launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.
@ArsenioAguirrePonce 3 жыл бұрын
Hi, where can I find the sample code for web apps?
@user-bg1wj9fd3f 5 ай бұрын
How it differs from Identity Platform? When I should use IAP over Identity Platform?
@TheMomander 5 ай бұрын
Use IAP if you have a predefined list of users who are allowed to use the application, for example employees in an organization. Use Identity Platform if you want new users to be able to sign up in the application.
@adityaguptai 3 жыл бұрын
Would love if you can make something on Cloud run best practices for production and some amazing usecases with cloud run
@charlieengelke 3 жыл бұрын
We'll take this into consideration. I can't make any promises, though!
@CharlesEngelke 3 жыл бұрын
@@charlieengelke Okay, I can pretty much make a promise. It's being worked on, but it's a fairly long process.
@gauravbohra9104 3 жыл бұрын
Does IAP also provide for SaaS applications; those applications are deployed on internet?
@TheMomander Жыл бұрын
IAP is great if you know your users ahead of time. So it would work well for a SaaS application if it's a "high-touch" sales process where you sign a contract in a meeting with the customer, get the list of users, and have a few days to add the users to your system. If your SaaS application is self-serve, that is users can sign up themselves without your intervention, you are better off with Firebase Authentication or Cloud Identity Platform. Those tools don't require you add users manually to your backend.
@TheMomander Жыл бұрын
By the way, the Cloud Run + IAP integration has launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.
@megairrational 3 жыл бұрын
@charlie, again a very useful and informative video. Many thanks! @martin, great product that simplifies our lives, making sure it is secure and reliable. One question, does the IAP work cCloud Run?
@charlieengelke 3 жыл бұрын
Thanks for the comment! You can use IAP with Cloud Load Balancer, and you can use load balancing with Cloud Run ( cloud.google.com/run/docs/using-gcp-services ). I haven't tried to use those two together, but it seems like it would work. But it's more complicated than just turning IAP on for Cloud Run.
@charlieengelke 3 жыл бұрын
@dSights "Expect" is a bit strong. "Hope for" maybe. We're looking into it.
@CharlesEngelke 3 жыл бұрын
@dSights Yes. We're putting one together. Production is a long process, so please be patient.
@CharlesEngelke 3 жыл бұрын
@dSights Coming soon (given that video production takes some time)!
@PS-cc3pz 3 жыл бұрын
@@CharlesEngelke Hoping to see that demo soon. I've tried to setup the LB with IAP. working fine with App engine. But not with Cloud Run (Getting Forbidden Error). Not sure what is the missing piece
@batisteo 3 жыл бұрын
I don’t know you but we have love for ancient maps in common!
@TheMomander Жыл бұрын
That's great to hear, Baptiste!
@HimanshuSharma-yn6dz 3 жыл бұрын
Hey I have two services one for frontend the other one is for backend (api). Without IAP it's working as expected and as i turn on IAP . I am facing an issue. Access to XMLHttpRequest at ‘hellow-dot-.appspot.com/' from origin ‘.appspot.com’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource Any Idea how to solve this ? Thanks in advanced
@TheMomander Жыл бұрын
When you say that you have "two services", does that mean two different Google Cloud projects? If so, I propose you put both the front-end and back-end in the same project to minimize CORS issues.
@nielskersic328 3 жыл бұрын
Really hope IAP will be made available for Cloud Run soon too
@charlieengelke 3 жыл бұрын
Me, too! I can think of lots of use cases.
@duylexuan1945 3 жыл бұрын
You can do a trick here. Using IAP with https Load Balancer (LB), and config the LB points to your application that is running on Cloud Run. I have tried and it works.
@googlecloudtech 3 жыл бұрын
Hi Niels, this is a great question and we actually answer it in our first episode of #AskGoogleCloud that’s premiering tomorrow March 12th at 10AM PT → goo.gle/3qDQEdy We’ll also have serverless experts who are going to be answering questions in real-time in the live chat. Drop by to ask your questions or say hello!
@TheMomander Жыл бұрын
@@duylexuan1945 Well done! A simplified Cloud Run + IAP integration has now launched. See the video titled "Cloud Run user auth for internal apps" that was released recently.
@ferojmahmood9484 Жыл бұрын
So this is just configuration in IAP for the website. No codes need to be implemented to send or verify JWT?
@TheMomander Жыл бұрын
Correct, IAP handles the login user interface and the token exchange. You may choose verify the JWT header in your application code if you want to make sure that no-one has accidentally turned off IAP.
@ferojmahmood9484 Жыл бұрын
@@TheMomander How can I do that in the code? can you show any example?
@TheMomander Жыл бұрын
@@ferojmahmood9484 Search for "identity aware proxy securing your app with signed headers" and you will find the doc that describes how. (KZfaq will mark my comment as spam if I include a link 🙂)
@ferojmahmood9484 Жыл бұрын
@@TheMomander I found the code. My question is in a simple "Hello World project" where should I implement this code. When this code will be invoked? IF IAP is disabled, who will send JWT token? I am not clear about that flow when the IAP is disabled by someone.
@TheMomander Жыл бұрын
@@ferojmahmood9484 The JWT will be in the HTTP request header *x-goog-iap-jwt-assertion*. If you want to make sure that your fellow admins haven't turned off IAP, you can verify the JWT with a library in your preferred langauge or by calling the URL in the doc I linked to above. If you trust your fellow admins not to turn off IAP, you don't need to do this check.
@teodoropacol7921 3 жыл бұрын
System.out.activation=("IAP")
@MuhammadAmjad-qz1ik 3 жыл бұрын
Sir memory full help me palees
@Encore555 2 жыл бұрын
already watched.
@katehillier1027 3 жыл бұрын
We the public have 300 unknowns on our Gmail account,we are not accorded the same respect.
@TheMomander 3 жыл бұрын
Kate, would you mind explaining what you mean by "300 unknowns" on your GMail account? What problem are you trying to solve?
@katehillier1027 3 жыл бұрын
300 third party advertisers apps on Gmail accounts. As a user I have no idea who they are and there are too many of them. Google dealing with this? Protesting! Right of reply is impossible with Google.
@katehillier1027 3 жыл бұрын
Privacy for corporations, open season and free for all on non infrastructure protected users.
@katehillier1027 3 жыл бұрын
Google identity says it all.
@marceloengecom Жыл бұрын
This solution work to all websites? like a squid web proxy? I want a solution to integrate with google secure ldap (Google Workspace)
@TheMomander Жыл бұрын
You'd run squid on a Compute Engine virtual machine? You can put IAP in front of Compute Engine. Search for the article "Setting up IAP for Compute Engine". But I'm afraid I haven't done this myself because I usually lean on a serverless platform for proxying and caching.
Cloud Advocate
Рет қаралды 8 М.
Azim Shaik
Рет қаралды 8 М.
Toy Kid
Рет қаралды 34 МЛН
KingStore_astrakhan
Рет қаралды 5 МЛН