Skip to content

Launch from a web browser

Required roles

To follow the steps in this guide, you need the following roles:

  • IAP-Secured Tunnel User on the project or VM.

    You can launch IAP Desktop from within a web browser by using iap-rdp:/// links.

Enable the browser integration feature

The browser integration feature is disabled by default. To enable it, do the following:

  • Open IAP Desktop.
  • Go to Tools > Options
  • On the General tab, set Allow launching IAP Desktop from a web browser to enabled.

Connect by URL

You can now open IAP Desktop and connect to a VM by pointing your browser to a iap-rdp:/// URL such as:



  • project-id is the ID of the project, for example my-project-123.
  • zone-id is the ID of the zone a VM is running in, for example us-central1-a.
  • instance-name is the name of the VM instance, for example my-instance-1.

Instead of a triple-slash, you can also use a single slash: iap-rdp:/project-id/zone-id/instance-name.


Optionally, you can add additional parameters to the URL to customize the connection behavior:


The following parameters are supported:

Parameter Value
Username Windows username (SAM format)
Domain Domain (NetBIOS format)
RdpPort RDP port the server is listening on. Use this parameter if you've configured Windows to use a listening port other than 3389 .
ConnectionBar Controls whether the connection bar is shown in full-screen mode:
  • 0 - automatically hide (default)
  • 1 - pinned
  • 2 - off
DesktopSize Controls the remote desktop resolution/size:
  • 0 - same as client size
  • 1 - same as screen size
  • 2 - automatically adjust (default)
ColorDepth Controls the color depth of the remote desktop:
  • 0 - high color
  • 1 - true color (default)
  • 2 - deep color
AudioMode Controls how audio is played:
  • 0 - play locally (default)
  • 1 - play on server
  • 2 - do not play
RedirectClipboard Controls whether clipboard contents are shared with remote desktop:
  • 0 - disabled
  • 1 - enabled (default)
RdpRedirectPrinter Controls whether local printers are shared with remote desktop:
  • 0 - disabled (default)
  • 1 - enabled
RdpRedirectSmartCard Controls whether local smart cards are shared with remote desktop:
  • 0 - disabled (default)
  • 1 - enabled
RdpRedirectPort Controls whether local ports are shared with remote desktop:
  • 0 - disabled (default)
  • 1 - enabled
RdpRedirectDrive Controls whether local drives are shared with remote desktop:
  • 0 - disabled (default)
  • 1 - enabled
RdpRedirectDevice Controls whether local devices are shared with remote desktop:
  • 0 - disabled (default)
  • 1 - enabled
RdpHookWindowsKeys Controls whether the remote desktop handles Windows shortcuts (like Win+X):
  • 0 - never
  • 1 - always
  • 2 - only when set to full-screen (default)
CredentialGenerationBehavior Controls whether the user is offered to generate new credentials when connecting:
  • 0 - allow generating new credentials
  • 1 - allow generating new credentials if no existing credentials found (default)
  • 2 - do not allow generating new credentials
  • 3 - force user to generate new credentials
The parameter is ignored when you use CredentialCallbackUrl.
CredentialCallbackUrl Callback URL for Windows logon credentials. When provided, IAP Desktop sends an HTTP GET request to this URL and expects a response in the following format:
    Domain: "domain",
    User: "user",
    Password: "password"
IAP Desktop then uses these credentials to automatically log on the user. The response must use the content type application/json. Use URL signing or similar mechanisms to ensusre that callback URLs can only be retrieved once, or stay valid for a limited period of time only.


  • URLs can't contain Windows passwords. To automatically log on users, specify a CredentialCallbackUrl.
  • Connecting to VM instances from within a web browser is currently not supported for SSH.

What's next