These are the steps to Setting up Cloud IAP access:
1.Go to the Identity-Aware Proxy page.
2.On the right side panel, next to Access, click Add.
3.In the Add members dialog that appears, add the email addresses of groups or individuals to whom you want to grant the IAP-secured Web
App
4.User role for the project. Members can be:
a.Google Accounts: user@gmail.com
b.Google Groups:
admins@googlegroups.com
c.Service accounts:
server@example.gserviceaccount.com
d.G Suite domains: example.com
Can IAP support "application" instead of "users"? Yes, IAP member can be a service account.
A service account is a special kind of account that belongs to an
application or a virtual machine (VM) instance, not a person.
Applications use service accounts to make authorized API calls.
You can find detailed explanation Enabling Cloud IAP ,Service accounts.