Skip to main content

Technical Setup

Identity-Aware Proxy Setup

Google Cloud Platform (GCP) provides the Identity-Aware Proxy (IAP) service to manage user access to web applications and resources hosted on Google Cloud.

To set up IAP:

  1. Create a project in GCP.
  2. Create an HTTPS Load Balancer.
    1. From Load Balancing, select From internet to my VMs or serverless services and Global HTTP(S) Load Balancer (classic).
    2. From Backend Configuration, create a Backend Service.
    3. Choose the corresponding Backend Type. If DataChat is deployed on Google Cloud, choose the appropriate backend type for the host(GCE, App Engine, etc.).
    4. Set the protocol to HTTPS.
    5. Save the backend for backend configuration. If using Internet Backend Endpoint Group:
      1. Under Host and Path Rules select Advanced mode, then edit the host and path rule to point to the created backend.
      2. Open the Add-on Action section, and set the Host Rewrite to the URL where the endpoint points to.
    6. Under Frontend Configuration, set up HTTP and HTTPS for the same IP address, then point a domain to this IP. You need a certificate for the HTTPS configuration. You can use an existing certificate from your domain, generate a new one, or use a Google-managed one.
    7. Save the load balancer.
  3. Enable IAP for the backend service you created before.
    1. Once enabled, click the three dots, then click Get JWT Audience Code.
    2. You can provide access to users by selecting Backend, then clicking Add Principal. Enter the email addresses of the users you would like to add, then select All roles > Cloud IAP > IAP-secured Web App User.

Google Drive Authentication Setup

Work with your DataChat administrator to enable Google Drive authentication.

Add DataChat IP for Read-Only Databases

If you are working from DataChat's cloud platform (, connecting to a read-only database that's behind a firewall might require you to add the following IP addresses to your firewall's allowlist to allow DataChat to access your database:


Work with your organization's IT team to configure your firewall's allowlist.