Identity-Aware Proxy Configuration


Identity-Aware Proxy (IAP) is a Google Cloud Platform service that provides access controls for https resources. IAP secures authentication for https requests and only grants access to users you authorize. This allows users to connect from untrusted networks without using a VPN.

Visulate for Oracle supports IAP via the Ingress component

Enable IAP

Make sure you have a valid TLS Certificate then follow the instructions in Enabling IAP for GKE and summarized below

Open the GCP console and navigate to the OAuth consent screen under APIs & Services

OAuth Consent Screen

Select internal as User Type and hit the Create button.

OAuth Consent Screen

Enter an App name and support email address then click Save.

Create OAuth credentials

Navigate to to the Credentials page under APIs & Services

OAuth Client Screen

Select Web application in the Application type drop down, supply an name and click Create. This will open a dialog showing a newly created OAuth client ID and secret.

OAuth Client Secret Screen

Copy the client ID to the clipboard and use the Download JSON link to save the credentials for later use.

OAuth Redirect URI

Add a universal redirect URL to the authorized redirect URIs field in the following format

where CLIENT_ID is the OAuth client ID you copied to the clipboard.

Setup IAP access

Navigate to the Identity-Aware Proxy page under Security. You should see 3 Visulate for Oracle services listed under Backend Services. These will be labeled with -api-svc, -sql-svc and -ui-svc suffixes as shown in the screenshot below. Select the checkboxes for each one and hit the Add Principal button on the right of the screen.

IAP Backend Service Selection

In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have access the the Visulate UI and APIs. Select IAP-secured Web App User in the Role field and hit Save

IAP Authorized Users


Create a Kubernetes secret

Use the client_id and client_secret values from the client_secret JSON file downloaded earlier

kubectl create secret generic visulate-iap-secret --namespace=catalog-ns \
    --from-literal=client_id=client_id_key \

Create a BackendConfig

Use a text editor to create a manifest file

vi iap-backend-config.yaml


kind: BackendConfig
  name: config-default
  namespace: catalog-ns
    enabled: true
      secretName: visulate-iap-secret

Apply the file to your cluster

kubectl apply -f iap-backend-config.yaml

Annotate Services

Navigate to the Services & Ingress page under Kubernetes Engine in the GCP console. For each service, hit the Edit button at the top of the page to access the YAML Editor. Add a annotation as shown below (note the “config-default” value matches the BackendConfig name in the previous step)

IAP Service Annotation


  annotations: '{"default": "config-default"}'

Complete this step for each Service (-api-svc, -sql-svc and -ui-svc)


Wait for the changes to take effect then open the Visulate UI in a new Incognito window. You should be required to authenticate with your Google credentials.