Google Cloud IAP

1.21.0 verified Fri May 01 auth: no python

Python client library for Google Cloud Identity-Aware Proxy (IAP). Current version 1.21.0, requires Python >=3.9. Released as part of the google-cloud-python monorepo with regular updates.

pip install google-cloud-iap

Common errors

error ImportError: cannot import name 'iap' from 'google.cloud' ↓

cause Trying to import 'iap' directly from google.cloud instead of using the versioned subpackage.

fix

Use 'from google.cloud import iap_v1' or 'from google.cloud.iap_v1 import IdentityAwareProxyOAuthServiceClient'.

error google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes. ↓

cause Service account missing the IAP-secured Web App User role or not using OAuth2 tokens for IAP.

fix

Grant the service account roles/iap.httpsResourceAccessor on the App Engine or GKE resource, and use ID tokens (not access tokens) for IAP-authenticated requests.

Warnings

gotcha The library provides multiple subpackages (iap_v1, iap_v1beta1). Import the specific version you need, not the top-level 'iap' (which may not exist). ↓

fix Import from google.cloud.iap_v1 or google.cloud.iap_v1beta1 explicitly.

gotcha IAP client requires a service account with the 'IAP-secured Web App User' role. Without it, you'll get permission errors even with valid credentials. ↓

fix Ensure the service account has roles/iap.httpsResourceAccessor on the target IAP resource.

deprecated The google-cloud-iap library uses googleapis-common-protos and google-api-core; ensure they are up-to-date to avoid import errors. ↓

fix Update dependencies: pip install --upgrade google-cloud-iap googleapis-common-protos google-api-core

Imports

IdentityAwareProxyOAuthServiceClient
wrong
```
from google.cloud import iap
```
correct
```
from google.cloud.iap import IdentityAwareProxyOAuthServiceClient
```
Wrong: iap module is not a top-level attribute; use submodule path.

Quickstart

Initializes the IAP client using service account credentials.

from google.cloud import iap_v1
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('/path/to/key.json')
client = iap_v1.IdentityAwareProxyOAuthServiceClient(credentials=credentials)
print('Client created successfully')