Getting IAM policy on App Engine resource

0
votes

I have a GCP project with an App Engine app resource. I use Identity-Aware Proxy to set users and roles on the App Engine app in the console. I now want to manage users in IAP programmatically.

Currently, I am able to get the IAM policy for "All Web Services" included in the project, using:

const request = { 
   resource_: <project-id>,
   resource: {},
   auth: authClient
};

try {
  const response(await cloudresourcemanager.projects.getIamPolicy(request)).data
} ...

How do I get the specific policy for the App Engine app resource?

I prefer to specify the policy directly on the app resource, and not on "All Web Services".

See GCP IAP screenshot for details: Policy for App Engine app on GCP IAP

1
node.jsgoogle-app-enginegoogle-cloud-platformgoogle-iap

1 Answers

0
votes

The first step is to read the existing IAP IAM policy for the resource (App Engine). Replace the words in capital letters with the correct values for your project and App Engine service:

POST https://iap.googleapis.com/v1beta1/projects/PROJECT_NUMBER/iap_web/appengine-APP_ID/services/SERVICE_ID/versions/VERSION_ID:getIamPolicy

Modify the policy to add/remove/change-roles for the IAM member IDs and POST back the new IAM policy as the request body:

POST https://iap.googleapis.com/v1beta1/projects/PROJECT_NUMBER/iap_web/appengine-APP_ID/services/SERVICE_ID/versions/VERSION_ID:setIamPolicy

These links will show you how to use the REST APIs.

Start here to learn how to list App Engine services:

App Engine Services

This link is an overview of managing IAP access:

Identity Aware Proxy (IAP) Managing Access

IAP REST APIs for managing IAM permissions:

getIamPolicy

setIamPolicy