Reputation: 56
GCP - GKE IAP give access to external user
We have services on GKE protected by IAP. So far, whenever we need to give access to a new internal user, we provide them with the role roles/IAP.httpsResourceAccessor.
The organization policy constraints/iam.allowedPolicyMemberDomains is enforced, and we want to keep it enforced.
The problem is that we need to give access to external users (therefore, they have email addresses/groups from another domain, which is banned by the rule above). Also, on the Kube side, the IAP credentials to use are defined for each service's backend. This is convenient because the external user should not have access to all services (unlike the internal users). Therefore, we can 'say': this service uses this IAP credential, which is consumable by this user.
To summarize, I need to give EXTERNAL users access to SOME of our GKE service(s) through IAP without removing the constraints/iam.allowedPolicyMemberDomains.
Thanks a lot for your help!
So far, we have tried the following:
Create an internal group, give it the role
roles/IAP.httpsResourceAccessorand add my external users to this group, and it doesn't work :/ (access is still denied)Through the Google Auth Platform, I made the audience external and manually added the user's emails through the UI. It works, BUT I can't mention which service they have access to. So all users have access to all services. (It looks to me that Audience is applied before Client).
Upvotes: 0
Views: 65
Answers (0)
Related Questions
- How do you pass Authentication from 1 Service to another using GCP IAP?
- GCP GKE - Google Compute Engine: Not all instances running in IGM
- IAP User is able to access a Cloud Run without permission
- How to give access to single Compute Instance on GCP?
- Setting up internal service on GKE without external IP
- GCP Routes with GKE (IP alias enabled)
- Kubernetes (on GKE) external connection through NAT for specific kube services?
- Access HTTP service running in GKE from Google Dataflow