CODEWITHSUNDEEP
google-app-enginegoogle-iap
Randy L
Randy L

Reputation: 14766

Identity Aware Proxy and App Engine Services, One Per Service?

Is it possible to put more fine-grained access control on AppEngine services using Google Cloud IAP (Identity Aware Proxy)?

I have two services A and B, I want some users to be able to access A, and I would like to provide a different list of users who can access service B. I'd like to use IAP to control access.

Upvotes: 1

Views: 2122

Answers (4)

Alexei Masterov
Alexei Masterov

Reputation: 462

I don't know if Google added this since the question was asked, but now it is possible to control access on individual service level:

IAP

Just select the service in the IAP console, and add members to it. You can add allUsers to make the service public (like in this picture)

Upvotes: 5

Tony
Tony

Reputation: 1194

This is available now.

For each service configured for IAP, you can add and allow specific users to each resource or a selection of resources in the Info Panel.

Role: Cloud IAP > IAP-Secured Web App User

What is not available is enabling/disabling IAP per service.

Unfortunately once IAP is enabled for App Engine, it is enabled for all App Engine services, and you are therefore unable to have one public App Engine service and one IAP-fronted App Engine service.

Where as IAP can be controlled per HTTPS load balancher

Upvotes: 6

Mikael Gibert
Mikael Gibert

Reputation: 355

Another way is to organize your applications under different projects.

Project A contains applications accessible to users in group A, Project B contains applications accessible to users in group B.

Upvotes: 0

Matthew Sachs
Matthew Sachs

Reputation: 1585

The only way to do that today is to grant all users of A + B access with IAP, and then do your own additional access control within the service code.

Upvotes: 1

Related Questions