Access Context Manager (Google cloud Platform) - limit access to GSuite user only

0
votes

Hello,

I have web-app at Google cloud Platform at Kubernetes engine, using it/accessing it through Identity-Aware Proxy restricting it through Access Context Manager which Google cloud platform provides.

Trying to allow access through chrome browser only to user with a] restricted/limited number and type of chrome browser extensions, b] approved device and c] possibly specific G-Suite account.

Initial accomplishment of this goal is not hard:

c] you can set in Identity-Aware Proxy access role IAP-secured Web App User per user (identity)

b] you can can create access level in Access Context Manager which require approved device (which require endpoint verification extension installed)

a] you can limit extensions for G-suite user chrome profile in admin.console without any problem (or need of browser enrollment)

This would be example of easy to make solution of given problem, but here is problems, possible solution and finally where i'm in need of advice.

  1. User can log in into custom chrome browser profile, avoid extension installment restriction (restrictions/policies are applied base on G-suite chrome profile) and then log into G-suite account on google.com and be granted access through Identity-Aware Proxy (access is given not based on profile of chrome but base on account you are logged in google.com)

Solution for this problem would be to enroll browser, policies wouldn't be given per G-suite profile in chrome but per browser. It brings another problem

  1. User can un-enroll chrome browser at any-time

This is currently my death end, thinking only way out is if there would be in Access Context Manager check for chrome profile or chrome enrollment.

Possible Hints:

  • I was told to buy chrome enterprise licence and allow log in only on enrolled browsers https://support.google.com/chrome/a/answer/7572556 , just from article its not clear for me it would solve my problem

  • number of options in Access Context Manager is very poor, maybe missing some licence ?

  • create extension which would check browser profile and restrict access to the web-app by presence of this extension and G-suite profile in chrome

Thank you.

1
google-chromegoogle-cloud-platformgoogle-workspace

1 Answers

0
votes

I was told to buy chrome enterprise licence and allow log in only on enrolled browsers https://support.google.com/chrome/a/answer/7572556 , just from article its not clear for me it would solve my problem

If I'm understand correctly your biggest problem is that user can stop using Chrome and go with another browser. By using Chrome Enterprise you force your users to use Google Chrome to even login into their accounts on corporate managed devices

number of options in Access Context Manager is very poor, maybe missing some licence ?

There aren't any license options for Access Context Manager, if you are looking for more settings in this feature I encourage you to open a Feature Request with Google

create extension which would check browser profile and restrict access to the web-app by presence of this extension and G-suite profile in chrome

This option will do the trick you can even force install Chrome extensions