Reputation: 65
Restrict access to AppEngine so that only another AppEngine service from another Google Cloud Project can access it
I have an API (AppEngine in Project 1) that calls out to another API (AppEngine in Project 2). Is it possible to restrict access to the API in AppEngine in Project 2, so that it can only be called from the AppEngine in Project 1.
Upvotes: 1
Views: 310
Answers (1)
Reputation: 75715
You have to activate IAP on App Engine, and then to select the services on which you want to activate it.
Then, when you deploy a service on App Engine, you can now define an identity, i.e. the service account which is used by App Engine to generate an identity token.
Because the identity is unique to a service (for example Project 1), you can ONLY grant that identity the capacity to reach App Engine on Project 2.
Note: you can define service account per service and not per project. Here I mention the project because it was your example, but it can be service 1 that calls service 2 in the same project, and only service 2 is protected by IAP
Upvotes: 3
Related Questions
- Is there a way to limit only allow incoming requests from other App Engine services?
- Restricting Google API Keys to be accessed by my Google App Engine application
- How to restrict access to an appengine application only to the owners and developers?
- How to allow traffic to app engine access from compute engines of different project.
- Using Cloud IAM to limit access to App Engine in Google Cloud Platform
- AppEngine firewall for the particular service
- How to make a service only accessible from another service under the same app engine in google cloud
- How to restrict compute engine to accept requests only from app engine
- Restrict GAE Endpoint access
- Restrict Google App Engine Endpoints API access