Stay organized with collectionsSave and categorize content based on your preferences.
This page describes how to enable Identity-Aware Proxy (IAP) for
a Google Cloud resource, using a Google-managed
OAuth client.
When enabling IAP on a resource using a Google-managed
OAuth client, only users within the organization in which the resource is
contained can access that resource. If you want to allow users outside of
the organization access to an IAP-enabled resource,enable
custom OAuth credentials.
Enable IAP for a new resource
New Google Cloud resources don't have IAP enabled.
Complete the following steps to enable IAP on a new resource.
In the list of resources, go to the settings of the resource for which you
want to configure custom OAuth credentials.
Select theEnable custom OAuth credentials to allow users outside of this
organization to access this applicationcheckbox.
In theOAuth configurationdialog, enter a client ID and secret.
Optional: To have a client ID and secret generated for you, clickAuto generate credentials.
You can download the client credentials to a CSV file, or delete the
credentials. After you save your changes, custom client credentials cannot
be retrieved, so we recommend that you save your credentials.
If you delete the credentials, the auto-generated OAuth client
is also deleted.
To save your changes, ClickSave. Saving your changes does not change
the IAP enabled state.
Change to a Google-managed OAuth client
You can change resources using a custom OAuth client to use a Google-managed
OAuth client by completing the following steps.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["# Enable IAP using a Google-managed OAuth client\n\nThis page describes how to enable Identity-Aware Proxy (IAP) for\na Google Cloud resource, using a Google-managed\nOAuth client.\n\nWhen enabling IAP on a resource using a Google-managed\nOAuth client, only users within the organization in which the resource is\ncontained can access that resource. If you want to allow users outside of\nthe organization access to an IAP-enabled resource, [enable\ncustom OAuth credentials](#custom-oauth-credentials).\n\nEnable IAP for a new resource\n-----------------------------\n\nNew Google Cloud resources don't have IAP enabled.\nComplete the following steps to enable IAP on a new resource.\n\n1. In the Google Cloud console, go to the IAP page.\n\n\n [Go to the IAP page](https://console.cloud.google.com/security/iap)\n2. Click the **Applications** tab.\n\n3. From the list of resources, select the resource for which you want to enable\n IAP.\n\n4. In the **IAP** column, click the toggle to the on position.\n\n5. For the **Turn on IAP** option, click **Turn on**.\n\nSet up custom OAuth credentials for a resource\n----------------------------------------------\n\nTo allow users outside of the organization access to an\nIAP-enabled resource, complete the following steps.\n\n1. In the Google Cloud console, go to the IAP page.\n\n\n [Go to the IAP page](https://console.cloud.google.com/security/iap)\n2. Click the **Applications** tab.\n\n3. In the list of resources, go to the settings of the resource for which you\n want to configure custom OAuth credentials.\n\n4. Select the **Enable custom OAuth credentials to allow users outside of this\n organization to access this application** checkbox.\n\n5. In the **OAuth configuration** dialog, enter a client ID and secret.\n\n6. Optional: To have a client ID and secret generated for you, click\n **Auto generate credentials**.\n\n You can download the client credentials to a CSV file, or delete the\n credentials. After you save your changes, custom client credentials cannot\n be retrieved, so we recommend that you save your credentials.\n\n If you delete the credentials, the auto-generated OAuth client\n is also deleted.\n7. To save your changes, Click **Save**. Saving your changes does not change\n the IAP enabled state.\n\nChange to a Google-managed OAuth client\n---------------------------------------\n\nYou can change resources using a custom OAuth client to use a Google-managed\nOAuth client by completing the following steps.\n\n1. In the Google Cloud console, go to the IAP page.\n\n\n [Go to the IAP page](https://console.cloud.google.com/security/iap)\n2. Click the **Applications** tab.\n\n3. In the list of resources, go to the settings of the resource for which you\n want to change to use a Google-managed OAuth client.\n\n4. Deselect the **Enable custom OAuth credentials to allow users outside of this\n organization to access this application** checkbox.\n\n5. Click **Save**."]]
