Set up OAuth for Cloud IAP

Creating an OAuth client for Cloud IAP on Google Cloud Platform (GCP)

If you want to useCloud Identity-Aware Proxy (Cloud IAP)when deploying Kubeflow on GCP,then you must follow these instructions to create an OAuth client for usewith Kubeflow.

You can skip the instructions on this page if you want to use basicauthentication (username and password) with Kubeflow instead of Cloud IAP.Cloud IAP is recommended for production deployments or deployments with accessto sensitive data.

Follow the steps below to create an OAuth client ID that identifies Cloud IAPwhen requesting access to a user’s email account. Kubeflow uses the emailaddress to verify the user’s identity.

  • Set up your OAuth consent screen:

    • In the Application name box, enter the name of your application.The example below uses the name “Kubeflow”.
    • Under Support email, select the email address that you want to displayas a public contact. You must use either your email address or a GoogleGroup that you own.
    • If you see Authorized domains, enter
  1. <project>.cloud.goog
  1. - where <project> is your Google Cloud Platform (GCP) project ID.
  2. - If you are using your own domain, such as **acme.com**, you should addthat as well
  3. - The **Authorized domains** option appears only for certain projectconfigurations. If you dont see the option, then theres nothing youneed to set.
  • Click Save.

  • Here’s an example of the completed form:OAuth consent screen

  • On the credentials screen:

    • Click Create credentials, and then click OAuth client ID.
    • Under Application type, select Web application.
    • In the Name box enter any name for your OAuth client ID. This is _not_the name of your application nor the name of your Kubeflow deployment. It’sjust a way to help you identify the OAuth client ID.
  • Click Create. A dialog box appears, like the one below:

OAuth consent screen

  • Copy the client ID shown in the dialog box, because you need the clientID in the next step.

  • On the Create credentials screen, find your newly created OAuthcredential and click the pencil icon to edit it:

OAuth consent screen

  • In the Authorized redirect URIs box, enter the following (if it’s notalready present in the list of authorized redirect URIs):
  1. https://iap.googleapis.com/v1/oauth/clientIds/<CLIENT_ID>:handleRedirect
  • <CLIENT_ID> is the OAuth client ID, something likeXXX.apps.googleusercontent.com. Do not include the angle brackets aroundthe client ID.
  • Note that the URI is not dependent on the Kubeflow deployment or endpoint.Multiple Kubeflow deployments can share the same OAuth client without theneed to modify the redirect URIs.
    • Press Enter/Return to add the URI. Check that the URI now appears asa confirmed item under Authorized redirect URIs. (The URI should no longer beeditable.)

Here’s an example of the completed form:OAuth credentials

  • Click Save.

  • Make note that you can find your OAuth client credentials in the credentialssection of the GCP Console. You need to retrieve the client ID andclient secret later when you’re ready to enable Cloud IAP.

Next steps

Choose one of the following ways to deploy Kubeflow:

  • Using the UI. This option provides a simpleway to deploy Kubeflow.
  • Using the CLI. This option provides morecontrol over the deployment process.