Identity Aware Proxy and App Engine Services, One Per Service?

1
votes

Is it possible to put more fine-grained access control on AppEngine services using Google Cloud IAP (Identity Aware Proxy)?

I have two services A and B, I want some users to be able to access A, and I would like to provide a different list of users who can access service B. I'd like to use IAP to control access.

4
google-app-enginegoogle-iap

4 Answers

5
votes

This is available now.

For each service configured for IAP, you can add and allow specific users to each resource or a selection of resources in the Info Panel.

Role: Cloud IAP > IAP-Secured Web App User

What is not available is enabling/disabling IAP per service.

Unfortunately once IAP is enabled for App Engine, it is enabled for all App Engine services, and you are therefore unable to have one public App Engine service and one IAP-fronted App Engine service.

Where as IAP can be controlled per HTTPS load balancher

3
votes

I don't know if Google added this since the question was asked, but now it is possible to control access on individual service level:

IAP

Just select the service in the IAP console, and add members to it. You can add allUsers to make the service public (like in this picture)

1
votes

The only way to do that today is to grant all users of A + B access with IAP, and then do your own additional access control within the service code.

0
votes

Another way is to organize your applications under different projects.

Project A contains applications accessible to users in group A, Project B contains applications accessible to users in group B.