How do you programmatically add members to a single Google IAP access list?

Question

I have 2 terraformed/k8s-yaml services that have IAP enabled.

In order to maintain the member access list between infra refreshes (when the load balancers get destroyed and so the access list gets wiped) I have assigned the IAM role 'IAP-secured Web App User' to the relevant users.

e.g.

resource "google_project_iam_member" "bob_iap_web_app_user" {
   role   = "roles/iap.httpsResourceAccessor"
   member = "user:bob.cat@meow.com"
}

However this allows access to all IAP protected APIs within the project. Is there a filter you can add to only allow access to a particular load balancer?

Matthew Sachs Matthew Sachs · Accepted Answer · 2019-07-11T23:29:37

I can think of two ways to do this:

Wait for https://github.com/terraform-providers/terraform-provider-google/issues/2613 to be implemented.
You can use conditional grants at the project level to set up something like "bob.cat has access if request host is meow.com, alice.dog has access if request host is woof.com".

--Matthew, Google Cloud IAP engineering

How do you programmatically add members to a single Google IAP access list?

1 Answers