Technical Setup
Identity-Aware Proxy Setup
Google Cloud Platform (GCP) provides the Identity-Aware Proxy (IAP) service to manage user access to web applications and resources hosted on Google Cloud.
To set up IAP:
- Create a project in GCP.
- Create an HTTPS Load Balancer.
- From Load Balancing, select From internet to my VMs or serverless services and Global HTTP(S) Load Balancer (classic).
- From Backend Configuration, create a Backend Service.
- Choose the corresponding Backend Type. If DataChat is deployed on Google Cloud, choose the appropriate backend type for the host(GCE, App Engine, etc.).
- Set the protocol to HTTPS.
- Save the backend for backend configuration. If using Internet Backend Endpoint Group:
- Under Host and Path Rules select Advanced mode, then edit the host and path rule to point to the created backend.
- Open the Add-on Action section, and set the Host Rewrite to the URL where the endpoint points to.
- Under Frontend Configuration, set up HTTP and HTTPS for the same IP address, then point a domain to this IP. You need a certificate for the HTTPS configuration. You can use an existing certificate from your domain, generate a new one, or use a Google-managed one.
- Save the load balancer.
- Enable IAP for the backend service you created before.
- Once enabled, click the three dots, then click Get JWT Audience Code.
- You can provide access to users by selecting Backend, then clicking Add Principal. Enter the email addresses of the users you would like to add, then select All roles > Cloud IAP > IAP-secured Web App User.
Google Drive Authentication Setup
Work with your DataChat administrator to enable Google Drive authentication.
Add DataChat IP for Read-Only Databases
If you are working from DataChat's cloud platform, connecting to a read-only database that's behind a firewall might require you to add the following IP addresses to your firewall's allowlist to allow DataChat to access your database:
- 18.116.2.110
- 3.130.35.228
Work with your organization's IT team to configure your firewall's allowlist.