Spring Cloud GCP IAP Authentication and Authorization 

Reading Time: 2 minutes

Identity-Aware Proxy (IAP) establish a central authorization layer for applications accessed by HTTPS, so we can use an application-level access control model instead of relying on network-level firewalls.

IAP policies scale across organization. We can define access policies centrally and apply them to all of applications and resources. When you assign a dedicated team to create and enforce policies, we protect project from incorrect policy definition or implementation in any application.


IAP works with signed headers or the App Engine standard environment Users API to secure app. With IAP, we can set up group-based application access: a resource could be accessible for employees and inaccessible for contractors, or only accessible to a specific department.

IAP working flow

When an application or resource is protected by IAP, it can only be accessed through the proxy by principals, also known as users, who have the correct Identity and Access Management (IAM) role. When grant a user access to an application or resource by IAP, they’re subject to the fine-grained access controls implemented by the product in use without requiring a VPN. When a user tries to access an IAP-secured resource, IAP performs authentication and authorization checks.

IAP On-premises work flow:

Other than IAP performs authentication and authorization checks for App Engine, Cloud Run, Compute Engine and GKE.

Spring Cloud GCP IAP Authentication

Cloud Identity-Aware Proxy (IAP) provides a security layer over applications deployed to Google Cloud.

The IAP starter uses Spring Security OAuth 2.0 Resource Server functionality to automatically extract user identity from the proxy-injected x-goog-iap-jwt-assertion HTTP header.

The following claims are validated automatically:

  • Issue time
  • Expiration time
  • Issuer
  • Audience

The audience (“aud”) validation is automatically configured when the application is running on App Engine Standard or App Engine Flexible. For other runtime environments, a custom audience must be provided through spring.cloud.gcp.security.iap.audience property. The custom property, if specified, overrides the automatic App Engine audience detection.

Maven Configuration


Gradle Configuration

dependencies {
    compile group: 'org.springframework.cloud', name: 'spring-cloud-gcp-starter-security-iap'

Spring Configuration

spring.cloud.gcp.security.iap.registry= <Link to JWK public key registry>
spring.cloud.gcp.security.iap.algorithm= <Encryp algo used to sign the JWK token>
spring.cloud.gcp.security.iap.header= <Header from which to extract the JWK key>
spring.cloud.gcp.security.iap.issuer= <JWK issuer to verify>
spring.cloud.gcp.security.iap.audience= <Custom JWK audience to verify>

Spring Security Configuration class

public class SecurityConfigurer extends WebSecurityConfigurerAdapter {
  protected void configure(HttpSecurity http) throws Exception {
        .authenticationEntryPoint(new Http403ForbiddenEntryPoint());

Test and Run

We can try using curl against the paths made available in the above code snipped.

This will work, and print “No secrets here”:

>> curl localhost:8080/

This will not work, returning Access Denied:

>> curl localhost:8080/urlsecret

Written by 

Abid Khan is a Lead Consultant at Knoldus Inc., postgraduate (MCA), and having 5+ years of experience in JavaSE, JavaEE, ORM framework, Spring, Spring-boot, RESTful Web Services, Kafka, MQTT, Rabbitmq, Docker, Redis, MySQL, Maven, GIT, etc. He is a well-developed professional with a prolific track record of designing, testing, and monitoring software as well as upgrading the existing programs.