feat: Identity-aware Proxy (IAP) released a feature Use IAP with Workforce Identity Federation(https://cloud.google.com/iap/docs/use-workforce-identity-federation) at Feb 7, 2025. Two settings field are newly introduced in the feature release: workforce_identity_settings and identity_sources

Google APIs · copybara-github · commit 81dd948a70ad · 2025-04-09T13:56:44.000-07:00
docs: A comment for field `name` in message `.google.cloud.iap.v1.TunnelDestGroup` is changed

docs: A comment for field `cidrs` in message `.google.cloud.iap.v1.TunnelDestGroup` is changed

docs: A comment for field `fqdns` in message `.google.cloud.iap.v1.TunnelDestGroup` is changed

docs: Mark `access_settings` in message `.google.cloud.iap.v1.IapSettings` as optional

docs: Mark `application_settings` in message `.google.cloud.iap.v1.IapSettings` as optional

docs: Mark `gcip_settings` in message `.google.cloud.iap.v1.AccessSettings` as optional

docs: Mark `cors_settings` in message `.google.cloud.iap.v1.AccessSettings` as optional

docs: Mark `oauth_settings` in message `.google.cloud.iap.v1.AccessSettings` as optional

docs: Mark `reauth_settings` in message `.google.cloud.iap.v1.AccessSettings` as optional

docs: Mark `allowed_domains_settings` in message `.google.cloud.iap.v1.AccessSettings` as optional

docs: Mark `tenant_ids` in message `.google.cloud.iap.v1.GcipSettings` as optional

docs: Mark `programmatic_clients` in message `.google.cloud.iap.v1.OAuthSettings` as optional

docs: A comment for enum `PolicyType` is changed

docs: Mark `method` in message `.google.cloud.iap.v1.ReauthSettings` as optional

docs: Mark `max_age` in message `.google.cloud.iap.v1.ReauthSettings` as optional

docs: Mark `policy_type` in message `.google.cloud.iap.v1.ReauthSettings` as optional

docs: Mark `enable` in message `.google.cloud.iap.v1.AllowedDomainsSettings` as optional

docs: Mark `domains` in message `.google.cloud.iap.v1.AllowedDomainsSettings` as optional

docs: Mark `csm_settings` in message `.google.cloud.iap.v1.ApplicationSettings` as optional

docs: Mark `access_denied_page_settings` in message `.google.cloud.iap.v1.ApplicationSettings` as optional

docs: Mark `attribute_propagation_settings` in message `.google.cloud.iap.v1.ApplicationSettings` as optional

docs: Mark `expression` in message `.google.cloud.iap.v1.AttributePropagationSettings` as optional

docs: Mark `output_credentials` in message `.google.cloud.iap.v1.AttributePropagationSettings` as optional

docs: Mark `enable` in message `.google.cloud.iap.v1.AttributePropagationSettings` as optional
PiperOrigin-RevId: 745722681
diff --git a/google/cloud/iap/v1/service.proto b/google/cloud/iap/v1/service.proto
@@ -98,6 +98,14 @@ service IdentityAwareProxyAdminService {
     };
   }
 
+  // Validates that a given CEL expression conforms to IAP restrictions.
+  rpc ValidateIapAttributeExpression(ValidateIapAttributeExpressionRequest)
+      returns (ValidateIapAttributeExpressionResponse) {
+    option (google.api.http) = {
+      post: "/v1/{name=**}:validateAttributeExpression"
+    };
+  }
+
   // Lists the existing TunnelDestGroups. To group across all locations, use a
   // `-` as the location ID. For example:
   // `/v1/projects/123/iap_tunnel/locations/-/destGroups`
@@ -342,19 +350,21 @@ message TunnelDestGroup {
     pattern: "projects/{project}/iap_tunnel/locations/{location}/destGroups/{dest_group}"
   };
 
-  // Required. Immutable. Identifier for the TunnelDestGroup. Must be unique
-  // within the project and contain only lower case letters (a-z) and dashes
-  // (-).
-  string name = 1 [
-    (google.api.field_behavior) = REQUIRED,
-    (google.api.field_behavior) = IMMUTABLE
-  ];
+  // Identifier. Identifier for the TunnelDestGroup. Must be unique within the
+  // project and contain only lower case letters (a-z) and dashes (-).
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
 
-  // Unordered list. List of CIDRs that this group applies to.
-  repeated string cidrs = 2 [(google.api.field_behavior) = UNORDERED_LIST];
+  // Optional. Unordered list. List of CIDRs that this group applies to.
+  repeated string cidrs = 2 [
+    (google.api.field_behavior) = UNORDERED_LIST,
+    (google.api.field_behavior) = OPTIONAL
+  ];
 
-  // Unordered list. List of FQDNs that this group applies to.
-  repeated string fqdns = 3 [(google.api.field_behavior) = UNORDERED_LIST];
+  // Optional. Unordered list. List of FQDNs that this group applies to.
+  repeated string fqdns = 3 [
+    (google.api.field_behavior) = UNORDERED_LIST,
+    (google.api.field_behavior) = OPTIONAL
+  ];
 }
 
 // The request sent to GetIapSettings.
@@ -386,40 +396,67 @@ message IapSettings {
   // Required. The resource name of the IAP protected resource.
   string name = 1 [(google.api.field_behavior) = REQUIRED];
 
-  // Top level wrapper for all access related setting in IAP
-  AccessSettings access_settings = 5;
+  // Optional. Top level wrapper for all access related setting in IAP
+  AccessSettings access_settings = 5 [(google.api.field_behavior) = OPTIONAL];
 
-  // Top level wrapper for all application related settings in IAP
-  ApplicationSettings application_settings = 6;
+  // Optional. Top level wrapper for all application related settings in IAP
+  ApplicationSettings application_settings = 6
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Access related settings for IAP protected apps.
 message AccessSettings {
-  // GCIP claims and endpoint configurations for 3p identity providers.
-  GcipSettings gcip_settings = 1;
+  // Types of identity source supported by IAP.
+  enum IdentitySource {
+    // IdentitySource Unspecified.
+    // When selected, IAP relies on which identity settings are fully configured
+    // to redirect the traffic to. The precedence order is
+    // WorkforceIdentitySettings > GcipSettings. If none is set, default to use
+    // Google identity.
+    IDENTITY_SOURCE_UNSPECIFIED = 0;
+
+    // Use external identities set up on Google Cloud Workforce Identity
+    // Federation.
+    WORKFORCE_IDENTITY_FEDERATION = 3;
+  }
+
+  // Optional. GCIP claims and endpoint configurations for 3p identity
+  // providers.
+  GcipSettings gcip_settings = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Configuration to allow cross-origin requests via IAP.
+  CorsSettings cors_settings = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Settings to configure IAP's OAuth behavior.
+  OAuthSettings oauth_settings = 3 [(google.api.field_behavior) = OPTIONAL];
 
-  // Configuration to allow cross-origin requests via IAP.
-  CorsSettings cors_settings = 2;
+  // Optional. Settings to configure reauthentication policies in IAP.
+  ReauthSettings reauth_settings = 6 [(google.api.field_behavior) = OPTIONAL];
 
-  // Settings to configure IAP's OAuth behavior.
-  OAuthSettings oauth_settings = 3;
+  // Optional. Settings to configure and enable allowed domains.
+  AllowedDomainsSettings allowed_domains_settings = 7
+      [(google.api.field_behavior) = OPTIONAL];
 
-  // Settings to configure reauthentication policies in IAP.
-  ReauthSettings reauth_settings = 6;
+  // Optional. Settings to configure the workforce identity federation,
+  // including workforce pools and OAuth 2.0 settings.
+  WorkforceIdentitySettings workforce_identity_settings = 9
+      [(google.api.field_behavior) = OPTIONAL];
 
-  // Settings to configure and enable allowed domains.
-  AllowedDomainsSettings allowed_domains_settings = 7;
+  // Optional. Identity sources that IAP can use to authenticate the end user.
+  // Only one identity source can be configured.
+  repeated IdentitySource identity_sources = 10
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Allows customers to configure tenant_id for GCIP instance per-app.
 message GcipSettings {
-  // GCIP tenant ids that are linked to the IAP resource.
+  // Optional. GCIP tenant ids that are linked to the IAP resource.
   // tenant_ids could be a string beginning with a number character to indicate
   // authenticating with GCIP tenant flow, or in the format of _<ProjectNumber>
   // to indicate authenticating with GCIP agent flow.
   // If agent flow is used, tenant_ids should only contain one single element,
   // while for tenant flow, tenant_ids can contain multiple elements.
-  repeated string tenant_ids = 1;
+  repeated string tenant_ids = 1 [(google.api.field_behavior) = OPTIONAL];
 
   // Login page URI associated with the GCIP tenants.
   // Typically, all resources within the same project share the same login page,
@@ -445,8 +482,36 @@ message OAuthSettings {
   // since access behavior is managed by IAM policies.
   google.protobuf.StringValue login_hint = 2;
 
-  // List of OAuth client IDs allowed to programmatically authenticate with IAP.
-  repeated string programmatic_clients = 5;
+  // Optional. List of client ids allowed to use IAP programmatically.
+  repeated string programmatic_clients = 5
+      [(google.api.field_behavior) = OPTIONAL];
+}
+
+// WorkforceIdentitySettings allows customers to configure workforce pools and
+// OAuth 2.0 settings to gate their applications using a third-party IdP with
+// access control.
+message WorkforceIdentitySettings {
+  // The workforce pool resources. Only one workforce pool is accepted.
+  repeated string workforce_pools = 1;
+
+  // OAuth 2.0 settings for IAP to perform OIDC flow with workforce identity
+  // federation services.
+  OAuth2 oauth2 = 2;
+}
+
+// The OAuth 2.0 Settings
+message OAuth2 {
+  // The OAuth 2.0 client ID registered in the workforce identity federation
+  // OAuth 2.0 Server.
+  string client_id = 1;
+
+  // Input only. The OAuth 2.0 client secret created while registering the
+  // client ID.
+  string client_secret = 2 [(google.api.field_behavior) = INPUT_ONLY];
+
+  // Output only. SHA256 hash value for the client secret. This field is
+  // returned by IAP when the settings are retrieved.
+  string client_secret_sha256 = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // Configuration for IAP reauthentication policies.
@@ -468,7 +533,7 @@ message ReauthSettings {
     ENROLLED_SECOND_FACTORS = 4;
   }
 
-  // Type of policy in the case of hierarchial policies.
+  // Type of policy in the case of hierarchical policies.
   enum PolicyType {
     // Default value. This value is unused.
     POLICY_TYPE_UNSPECIFIED = 0;
@@ -481,42 +546,45 @@ message ReauthSettings {
     DEFAULT = 2;
   }
 
-  // Reauth method requested.
-  Method method = 1;
+  // Optional. Reauth method requested.
+  Method method = 1 [(google.api.field_behavior) = OPTIONAL];
 
-  // Reauth session lifetime, how long before a user has to reauthenticate
-  // again.
-  google.protobuf.Duration max_age = 2;
+  // Optional. Reauth session lifetime, how long before a user has to
+  // reauthenticate again.
+  google.protobuf.Duration max_age = 2 [(google.api.field_behavior) = OPTIONAL];
 
-  // How IAP determines the effective policy in cases of hierarchial policies.
-  // Policies are merged from higher in the hierarchy to lower in the hierarchy.
-  PolicyType policy_type = 3;
+  // Optional. How IAP determines the effective policy in cases of hierarchical
+  // policies. Policies are merged from higher in the hierarchy to lower in the
+  // hierarchy.
+  PolicyType policy_type = 3 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Configuration for IAP allowed domains. Lets you to restrict access to an app
 // and allow access to only the domains that you list.
 message AllowedDomainsSettings {
-  // Configuration for customers to opt in for the feature.
-  optional bool enable = 1;
+  // Optional. Configuration for customers to opt in for the feature.
+  optional bool enable = 1 [(google.api.field_behavior) = OPTIONAL];
 
-  // List of trusted domains.
-  repeated string domains = 2;
+  // Optional. List of trusted domains.
+  repeated string domains = 2 [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Wrapper over application specific settings for IAP.
 message ApplicationSettings {
-  // Settings to configure IAP's behavior for a service mesh.
-  CsmSettings csm_settings = 1;
+  // Optional. Settings to configure IAP's behavior for a service mesh.
+  CsmSettings csm_settings = 1 [(google.api.field_behavior) = OPTIONAL];
 
-  // Customization for Access Denied page.
-  AccessDeniedPageSettings access_denied_page_settings = 2;
+  // Optional. Customization for Access Denied page.
+  AccessDeniedPageSettings access_denied_page_settings = 2
+      [(google.api.field_behavior) = OPTIONAL];
 
   // The Domain value to set for cookies generated by IAP. This value is not
   // validated by the API, but will be ignored at runtime if invalid.
   google.protobuf.StringValue cookie_domain = 3;
 
-  // Settings to configure attribute propagation.
-  AttributePropagationSettings attribute_propagation_settings = 4;
+  // Optional. Settings to configure attribute propagation.
+  AttributePropagationSettings attribute_propagation_settings = 4
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Configuration for RCToken generated for service mesh workloads protected by
@@ -568,9 +636,9 @@ message AttributePropagationSettings {
     RCTOKEN = 3;
   }
 
-  // Raw string CEL expression. Must return a list of attributes. A maximum of
-  // 45 attributes can be selected. Expressions can select different attribute
-  // types from `attributes`: `attributes.saml_attributes`,
+  // Optional. Raw string CEL expression. Must return a list of attributes. A
+  // maximum of 45 attributes can be selected. Expressions can select different
+  // attribute types from `attributes`: `attributes.saml_attributes`,
   // `attributes.iap_attributes`. The following functions are supported:
   //
   //  - filter `<list>.filter(<iter_var>, <predicate>)`: Returns a subset of
@@ -596,19 +664,34 @@ message AttributePropagationSettings {
   //
   // Example expression: `attributes.saml_attributes.filter(x, x.name in
   // ['test']).append(attributes.iap_attributes.selectByName('exact').emitAs('custom').strict())`
-  optional string expression = 1;
+  optional string expression = 1 [(google.api.field_behavior) = OPTIONAL];
 
-  // Which output credentials attributes selected by the CEL expression should
-  // be propagated in. All attributes will be fully duplicated in each selected
-  // output credential.
-  repeated OutputCredentials output_credentials = 2;
+  // Optional. Which output credentials attributes selected by the CEL
+  // expression should be propagated in. All attributes will be fully duplicated
+  // in each selected output credential.
+  repeated OutputCredentials output_credentials = 2
+      [(google.api.field_behavior) = OPTIONAL];
 
-  // Whether the provided attribute propagation settings should be evaluated on
-  // user requests. If set to true, attributes returned from the expression will
-  // be propagated in the set output credentials.
-  optional bool enable = 3;
+  // Optional. Whether the provided attribute propagation settings should be
+  // evaluated on user requests. If set to true, attributes returned from the
+  // expression will be propagated in the set output credentials.
+  optional bool enable = 3 [(google.api.field_behavior) = OPTIONAL];
 }
 
+// Request sent to IAP Expression Linter endpoint.
+message ValidateIapAttributeExpressionRequest {
+  // Required. The resource name of the IAP protected resource.
+  string name = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. User input string expression. Should be of the form
+  // `attributes.saml_attributes.filter(attribute, attribute.name in
+  // ['{attribute_name}', '{attribute_name}'])`
+  string expression = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
+// IAP Expression Linter endpoint returns empty response body.
+message ValidateIapAttributeExpressionResponse {}
+
 // The request sent to ListBrands.
 message ListBrandsRequest {
   // Required. GCP Project number/id.
