Identity-Aware Proxy (IAP) establish a central authorization layer for applications accessed by HTTPS, so we can use an application-level access control model instead of relying on network-level firewalls.
IAP policies scale across organization. We can define access policies centrally and apply them to all of applications and resources. When you assign a dedicated team to create and enforce policies, we protect project from incorrect policy definition or implementation in any application.
Use IAP
IAP works with signed headers or the App Engine standard environment Users API to secure app. With IAP, we can set up group-based application access: a resource could be accessible for employees and inaccessible for contractors, or only accessible to a specific department.
IAP working flow
When an application or resource is protected by IAP, it can only be accessed through the proxy by principals, also known as users, who have the correct Identity and Access Management (IAM) role. When grant a user access to an application or resource by IAP, they’re subject to the fine-grained access controls implemented by the product in use without requiring a VPN. When a user tries to access an IAP-secured resource, IAP performs authentication and authorization checks.
IAP On-premises work flow:
Other than IAP performs authentication and authorization checks for App Engine, Cloud Run, Compute Engine and GKE.
Spring Cloud GCP IAP Authentication
Cloud Identity-Aware Proxy (IAP) provides a security layer over applications deployed to Google Cloud.
The IAP starter uses Spring Security OAuth 2.0 Resource Server functionality to automatically extract user identity from the proxy-injected x-goog-iap-jwt-assertion HTTP header.
The following claims are validated automatically:
- Issue time
- Expiration time
- Issuer
- Audience
The audience (“aud”) validation is automatically configured when the application is running on App Engine Standard or App Engine Flexible. For other runtime environments, a custom audience must be provided through spring.cloud.gcp.security.iap.audience
property. The custom property, if specified, overrides the automatic App Engine audience detection.
Maven Configuration
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-gcp-starter-security-iap</artifactId>
</dependency>
Gradle Configuration
dependencies {
compile group: 'org.springframework.cloud', name: 'spring-cloud-gcp-starter-security-iap'
}
Spring Configuration
spring.cloud.gcp.security.iap.registry= <Link to JWK public key registry>
spring.cloud.gcp.security.iap.algorithm= <Encryp algo used to sign the JWK token>
spring.cloud.gcp.security.iap.header= <Header from which to extract the JWK key>
spring.cloud.gcp.security.iap.issuer= <JWK issuer to verify>
spring.cloud.gcp.security.iap.audience= <Custom JWK audience to verify>
Spring Security Configuration class
@Configuration
@EnableWebSecurity
public class SecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/urlsecret")
.authenticated()
.and()
.oauth2ResourceServer()
.jwt()
.and()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint());
}
}
Test and Run
We can try using curl
against the paths made available in the above code snipped.
This will work, and print “No secrets here”:
>> curl localhost:8080/
This will not work, returning Access Denied:
>> curl localhost:8080/urlsecret