This example demonstrates how to retrieve user profile (e.g. name, photo) from an IAP-enabled GAE application.
This setup can be done from Cloud Shell
.
You need Project Owner
permission to run this, e.g. for creating GAE app.
The following setup assumes that you are setting up your new application GCP project based on the following:
- GCP project:
project-id-1234
- GAE region:
asia-northeast1
-
Set up environment variables.
export PROJECT=project-id-1234 export REGION=asia-northeast1
-
Setup your gcloud
gcloud config configurations create iap-user-profile gcloud config set project $PROJECT
-
Create GAE application.
gcloud app create --region=$REGION
-
Enable required APIs
gcloud services enable \ iap.googleapis.com \ secretmanager.googleapis.com \ cloudresourcemanager.googleapis.com \ people.googleapis.com
-
Deploy this sample application. This will become the
default
service.
Note: IAP can only be enabled when there is already a service deployed in GAE.cd professional-services/examples/iap-user-profile/ gcloud app deploy --quiet
-
Configure
Consent Screen
on the below link
https://console.cloud.google.com/apis/credentials/consent?project=project-id-1234- Choose
Internal
for theUser Type
, then clickCreate
- Type in the
Application name
, e.g. IAP User Profile Example - Choose the appropriate
Support email
. Alternatively, you can leave it to use your own email. - Fill in the
Authorized domains
based on your GAE application domain, e.g.- project-id-1234.an.r.appspot.com
- Click
Save
- Choose
-
Enable IAP on the below link for the
App Engine app
. Toggle on the button and then clickTurn On
.
https://console.cloud.google.com/security/iap?project=project-id-1234 -
Add IAM policy binding to the IAP-enabled App Engine application. Register your user email to access the application.
gcloud iap web add-iam-policy-binding --resource-type=app-engine \ --member='user:your-user@domain.com' \ --role='roles/iap.httpsResourceAccessor'
-
Create new
Credentials
on the below link. This credential will be used by the OAuth2 login flow to retrieve the user profile.
https://console.cloud.google.com/apis/credentials?project=project-id-1234- Click
Create Credentials
. ChooseOAuth client ID
. - Choose
Web application
for theApplication type
- Type in
IAP User Profile Svc
for theName
- Fill in the
Authorized JavaScript origins
- Fill in the
Authorized redirect URIs
- Click
Create
- Click the newly created
IAP User Profile Example
credential and then click theDownload JSON
button. You'll need to paste the JSON content later as secret in the Secret Manager.
- Click
-
Create a secret in Secret Manager named
iap-user-profile-svc-oauth2-client
with the client credential JSON file as the value.gcloud secrets create iap-user-profile-svc-oauth2-client \ --locations=asia-southeast1 --replication-policy=user-managed \ --data-file=/path-to/client_secret.json
-
Add IAM policy binding to the secret for GAE default service account.
gcloud secrets add-iam-policy-binding iap-user-profile-svc-oauth2-client \ --member='serviceAccount:project-id-1234@appspot.gserviceaccount.com' \ --role='roles/secretmanager.secretAccessor'
-
Access the application in your browser.
Note: If you are accessing it first time, it may take some time before the policy takes effect. Retry several times until you are prompted the OAuth login screen.
https://project-id-1234.an.r.appspot.com/ -
You will be prompted the OAuth login one more time.
This is intended since we are going to use this scope to access your People API. -
You should be able to see your user profile displayed on the web page.