How to get user groups or roles from Identity Aware Proxy in a MERN stack app

Question

I have a use case where I have 2 apps:

• React SPA frontend, running on web.myportal.example
• Node Express backend, exposing a REST api on api.myportal.example

Both apps are deployed into GCP Compute Engine and are accessible from the Internet. I was able to configure IAP to prevent unauthorized access. I can specify a list of email accounts that are allowed to use the UI and API.

What I need is autorization capability from GCP IAP. Does it have one? Simple example - some of the API endpoints should only be accessible to folks with a specific group/role membership. How can I extract that from IAP? The only thing IAP leaves me is a GCP_IAAP_AUTH_TOKEN cookie, which I cant even use due to it's definition.

Answer 1

You may try to put an LB in front of each service (one for API, another for an APP) and configure IAP to use them and grant access accordingly.

When an application or resource is protected by IAP, it can only be accessed through the proxy by members, also known as users, who have the correct Identity and Access Management (IAM) role. When you grant a user access to an application or resource by IAP, they're subject to the fine-grained access controls implemented by the product in use without requiring a VPN. When a user tries to access a IAP-secured resource, IAP performs authentication and authorization checks.

But it's not possible to configure IAP to grant different access-level to an API methods based on who logged in. It doesn't look like at allows such fine-grained authorisation management - only you get access or no;

After authentication, IAP applies the relevant IAM policy to check if the user is authorized to access the requested resource. If the user has the IAP-secured Web App User role on the Cloud Console project where the resource exists, they're authorized to access the application.