April 29, 2020

Secure Streamlit.io running on Google Cloud Kubernetes

By Rui Costa

In a previous post I wrote a tutorial on how to create a container for a Streamlit application, deploy it to Google Cloud Registry, build a Kubernetes cluster, deploy the application to the newly created cluster, create a GLSB, and secure it with SSL – wow.

In this post, I will walk you through on how to secure the application running on Kubernetes with Google Cloud IdentityAware Proxy (IAP).  If you want to learn how to deploy the application first please visit Run Streamlist.io on Google Cloud Kubernetes then come back to secure it.

What is Google Cloud IdentityAware Proxy (IAP)?

Identity-Aware Proxy (IAP) can help you control access to your cloud and on-prem applications and VMs running on Google Cloud Platform (GCP). In our use case will secure the Streamlit.io application running on Kubernetes.


Authentication Disabled: https://stream.ruicosta.blog/

Authentication Enabled: https://secure.ruicosta.blog/

Configure IAP

Before we enable authentication, we will need to create an OAuth consent screen. The consent screen tells your users who is requesting access to their data and what kind of data you’re asking to access.

From the Google Cloud console go to the Navigation Menu > APIs & Services > OAuth Consent screen

Fill in the required details, below is a sample of mine.

Enable IAP

To use IAP we need to enable it, from the Google Cloud console go to the Navigation Menu > Security > Identity-Aware Proxy

Click Enable API

Once it completes click GO TO IDENTITY-AWARE PROXY

The screen should look similar to the one below. Keep in mind I have two applications deployed. One has Authentication Disabled and the other has Authentication Enabled.

Toggle the IAP button to enable IAP for your application version.

If you see a warning go ahead click on the warning and read the suggestions for the firewall rules. In my case, I did not need to change anything since it was internal ranges that could bypass IAP. After a few minutes revisit the website, you should get prompted to authenticate. Whichever account you use it will fail since we have not authorized any users.

Add authorized users

From the Google Cloud console go to the Navigation Menu > Security > Identity-Aware Proxy.

Click the checkbox next to the service you want to add users to. This will open a panel to the right. From here click ADD MEMBER

Add the user based on their email address and choose the IAP-secured Web App User

It should look like my sample below.

Visit your secure website, you should be prompted to Sign in. Sign in with the user you added as a member to IAP-secured Web App User.

If you followed along with our Streamlit.io application you should now see the application running.

You will also notice your Response Cookies now have GCP_IAP which allows you to get the user email address, name and also do further validation if required.

Thank you and let me know if you run into any issues.