Google Identity-Aware Proxy Brand

This page shows how to write Terraform for Identity-Aware Proxy Brand and write them securely.

google_iap_brand (Terraform)

The Brand in Identity-Aware Proxy can be configured in Terraform with the resource name google_iap_brand. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub
resource "google_iap_brand" "project_brand" {
  support_email     = ""
  application_title = "Cloud IAP protected Application"
  project           = google_project_service.iap_service.project
resource "google_iap_brand" "project_brand" {
  support_email     = var.support_email
  application_title = var.application_name
  project           = module.project.project_id
resource "google_iap_brand" "oauth_consent_screen" {
  count             = var.create_brand ? 1 : 0
  support_email     = var.support_email
  application_title = var.application_title
  project           = var.project_id
resource "google_iap_brand" "project" {
  application_title = var.project_name
  project           = google_project.project.number
  support_email     = ""

  depends_on = [
resource "google_iap_brand" "main" {
  support_email     = var.email_address
  application_title = var.project_long_name
  project           = var.project_id
  depends_on        = [google_project_service.iap]

Review your Terraform file for Google best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).


Application name displayed on OAuth consent screen.

  • id optional computed - string
  • name optional computed - string

Output only. Identifier of the brand, in the format 'projects/[project_number]/brands/[brand_id]'. NOTE: The brand identification corresponds to the project number as only one brand per project can be created.

Whether the brand is only intended for usage inside the GSuite organization only.

Support email displayed on the OAuth consent screen. Can be either a user or group email. When a user email is specified, the caller must be the user with the associated email address. When a group email is specified, the caller can be either a user or a service account which is an owner of the specified group in Cloud Identity.

Explanation in Terraform Registry

OAuth brand data. Only "Organization Internal" brands can be created programmatically via API. To convert it into an external brands please use the GCP Console.

Note: Brands can only be created once for a Google Cloud project and the underlying Google API doesn't not support DELETE or PATCH methods. Destroying a Terraform-managed Brand will remove it from state but will not delete it from Google Cloud. To get more information about Brand, see:

Frequently asked questions

What is Google Identity-Aware Proxy Brand?

Google Identity-Aware Proxy Brand is a resource for Identity-Aware Proxy of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Identity-Aware Proxy Brand?

For Terraform, the wagsandre/tf-gke-playground, AndresRCB/gce-iap-demo and clementous92/ops-terraform-modules-resources2 source code examples are useful. See the Terraform Example section for further details.


Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.