Secure Streamlit.io running on Google Cloud Kubernetes
In a previous post I wrote a tutorial on how to create a container for a Streamlit application, deploy it to Google Cloud Registry, build a Kubernetes cluster, deploy the application to the newly created cluster, create a GLSB, and secure it with SSL – wow.
In this post, I will walk you through on how to secure the application running on Kubernetes with Google Cloud Identity–Aware Proxy (IAP). If you want to learn how to deploy the application first please visit Run Streamlist.io on Google Cloud Kubernetes then come back to secure it.
What is Google Cloud Identity–Aware Proxy (IAP)?
Identity-Aware Proxy (IAP) can help you control access to your cloud and on-prem applications and VMs running on Google Cloud Platform (GCP). In our use case will secure the Streamlit.io application running on Kubernetes.
Demo
Authentication Disabled: https://stream.ruicosta.blog/
Authentication Enabled: https://secure.ruicosta.blog/
Configure IAP
Before we enable authentication, we will need to create an OAuth consent screen. The consent screen tells your users who is requesting access to their data and what kind of data you’re asking to access.
From the Google Cloud console go to the Navigation Menu > APIs & Services > OAuth Consent screen
Fill in the required details, below is a sample of mine.
Enable IAP
To use IAP we need to enable it, from the Google Cloud console go to the Navigation Menu > Security > Identity-Aware Proxy
Click Enable API
Once it completes click GO TO IDENTITY-AWARE PROXY
The screen should look similar to the one below. Keep in mind I have two applications deployed. One has Authentication Disabled and the other has Authentication Enabled.
Toggle the IAP button to enable IAP for your application version.
If you see a warning go ahead click on the warning and read the suggestions for the firewall rules. In my case, I did not need to change anything since it was internal ranges that could bypass IAP. After a few minutes revisit the website, you should get prompted to authenticate. Whichever account you use it will fail since we have not authorized any users.
Add authorized users
From the Google Cloud console go to the Navigation Menu > Security > Identity-Aware Proxy.
Click the checkbox next to the service you want to add users to. This will open a panel to the right. From here click ADD MEMBER
Add the user based on their email address and choose the IAP-secured Web App User
It should look like my sample below.
Visit your secure website, you should be prompted to Sign in. Sign in with the user you added as a member to IAP-secured Web App User.
If you followed along with our Streamlit.io application you should now see the application running.
You will also notice your Response Cookies now have GCP_IAP which allows you to get the user email address, name and also do further validation if required.
Thank you and let me know if you run into any issues.