diff --git a/iac/provider-gcp/main.tf b/iac/provider-gcp/main.tf
index 5c2a35a59d..5a2655f0f7 100644
--- a/iac/provider-gcp/main.tf
+++ b/iac/provider-gcp/main.tf
@@ -203,6 +203,11 @@ module "cluster" {
   # ClickHouse stateful data disk
   clickhouse_stateful_disk_type    = var.clickhouse_stateful_disk_type
   clickhouse_stateful_disk_size_gb = var.clickhouse_stateful_disk_size_gb
+
+  # Nomad IAP
+  nomad_iap_oauth2_client_id     = var.nomad_iap_oauth2_client_id
+  nomad_iap_oauth2_client_secret = var.nomad_iap_oauth2_client_secret
+  nomad_iap_members              = var.nomad_iap_members
 }
 
 module "nomad" {
diff --git a/iac/provider-gcp/nomad-cluster/main.tf b/iac/provider-gcp/nomad-cluster/main.tf
index 33c04042b5..76204c7c7c 100644
--- a/iac/provider-gcp/nomad-cluster/main.tf
+++ b/iac/provider-gcp/nomad-cluster/main.tf
@@ -129,6 +129,10 @@ module "network" {
 
   cluster_tag_name = var.cluster_tag_name
 
+  nomad_iap_oauth2_client_id     = var.nomad_iap_oauth2_client_id
+  nomad_iap_oauth2_client_secret = var.nomad_iap_oauth2_client_secret
+  nomad_iap_members              = var.nomad_iap_members
+
   labels = var.labels
   prefix = var.prefix
 }
diff --git a/iac/provider-gcp/nomad-cluster/network/main.tf b/iac/provider-gcp/nomad-cluster/network/main.tf
index 686aeb82af..d85f9078de 100644
--- a/iac/provider-gcp/nomad-cluster/network/main.tf
+++ b/iac/provider-gcp/nomad-cluster/network/main.tf
@@ -91,6 +91,10 @@ locals {
         port         = var.nomad_port
       }
       groups = [{ group = var.server_instance_group }]
+      iap = var.nomad_iap_oauth2_client_id != null ? {
+        oauth2_client_id     = var.nomad_iap_oauth2_client_id
+        oauth2_client_secret = var.nomad_iap_oauth2_client_secret
+      } : null
     }
   }
   health_checked_backends = { for backend_index, backend_value in local.backends : backend_index => backend_value }
@@ -369,11 +373,30 @@ resource "google_compute_backend_service" "default" {
     }
   }
 
+  dynamic "iap" {
+    for_each = lookup(each.value, "iap", null) != null ? [each.value.iap] : []
+    content {
+      enabled              = true
+      oauth2_client_id     = iap.value["oauth2_client_id"]
+      oauth2_client_secret = iap.value["oauth2_client_secret"]
+    }
+  }
+
   depends_on = [
     google_compute_health_check.default
   ]
 }
 
+# IAP IAM binding for Nomad backend
+resource "google_iap_web_backend_service_iam_binding" "nomad_iap" {
+  count = var.nomad_iap_oauth2_client_id != null && length(var.nomad_iap_members) > 0 ? 1 : 0
+
+  project             = var.gcp_project_id
+  web_backend_service = google_compute_backend_service.default["nomad"].name
+  role                = "roles/iap.httpsResourceAccessor"
+  members             = var.nomad_iap_members
+}
+
 resource "google_compute_health_check" "default" {
   for_each = local.health_checked_backends
   name     = "${var.prefix}hc-${each.key}"
diff --git a/iac/provider-gcp/nomad-cluster/network/variables.tf b/iac/provider-gcp/nomad-cluster/network/variables.tf
index b2281046a1..1e69928c3e 100644
--- a/iac/provider-gcp/nomad-cluster/network/variables.tf
+++ b/iac/provider-gcp/nomad-cluster/network/variables.tf
@@ -113,3 +113,22 @@ variable "additional_api_paths_handled_by_ingress" {
 variable "ingress_timeout_seconds" {
   type = number
 }
+
+variable "nomad_iap_oauth2_client_id" {
+  description = "OAuth2 client ID for IAP on Nomad backend. If set, IAP will be enabled."
+  type        = string
+  default     = null
+}
+
+variable "nomad_iap_oauth2_client_secret" {
+  description = "OAuth2 client secret for IAP on Nomad backend."
+  type        = string
+  default     = null
+  sensitive   = true
+}
+
+variable "nomad_iap_members" {
+  description = "List of members who can access the Nomad UI through IAP (e.g., ['user:admin@example.com', 'group:devs@example.com'])"
+  type        = list(string)
+  default     = []
+}
diff --git a/iac/provider-gcp/nomad-cluster/variables.tf b/iac/provider-gcp/nomad-cluster/variables.tf
index 6fccce0406..ab80e3dfc5 100644
--- a/iac/provider-gcp/nomad-cluster/variables.tf
+++ b/iac/provider-gcp/nomad-cluster/variables.tf
@@ -392,3 +392,22 @@ variable "additional_api_paths_handled_by_ingress" {
 variable "ingress_timeout_seconds" {
   type = number
 }
+
+variable "nomad_iap_oauth2_client_id" {
+  description = "OAuth2 client ID for IAP on Nomad backend. If set, IAP will be enabled."
+  type        = string
+  default     = null
+}
+
+variable "nomad_iap_oauth2_client_secret" {
+  description = "OAuth2 client secret for IAP on Nomad backend."
+  type        = string
+  default     = null
+  sensitive   = true
+}
+
+variable "nomad_iap_members" {
+  description = "List of members who can access the Nomad UI through IAP (e.g., ['user:admin@example.com', 'group:devs@example.com'])"
+  type        = list(string)
+  default     = []
+}
diff --git a/iac/provider-gcp/variables.tf b/iac/provider-gcp/variables.tf
index e5655c3f59..1df345da4e 100644
--- a/iac/provider-gcp/variables.tf
+++ b/iac/provider-gcp/variables.tf
@@ -783,3 +783,22 @@ variable "ingress_timeout_seconds" {
   type    = number
   default = 80
 }
+
+variable "nomad_iap_oauth2_client_id" {
+  description = "OAuth2 client ID for IAP on Nomad backend. If set, IAP will be enabled."
+  type        = string
+  default     = null
+}
+
+variable "nomad_iap_oauth2_client_secret" {
+  description = "OAuth2 client secret for IAP on Nomad backend."
+  type        = string
+  default     = null
+  sensitive   = true
+}
+
+variable "nomad_iap_members" {
+  description = "List of members who can access the Nomad UI through IAP (e.g., ['user:admin@example.com', 'group:devs@example.com'])"
+  type        = list(string)
+  default     = []
+}