I have created a Cloud Scheduler job with target to App Engine HTTP. The target URL is /admin/task/create-documents
I have an App Engine flexible running with java 8.
It works fine, but now I would like to secure the access to the servlet called by the Cloud Scheduler job (/admin/task/create-documents) to GCP developers only (usually referenced as 'admin'). I assumed the Cloud Scheduler job is considered as 'admin'.
Option 1 - didn't work
I tried to modify the web.xml file as for the standard environment, as mentioned here, but with no success:
The web.xml file:
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
Option 2 - didn't work
I tried to modify the app.yaml by adding login: admin to the handlers section, as mentioned in the documentation here, but with no success either.
The app.yaml file:
runtime: java
env: flex
threadsafe: true
runtime_config:
jdk: openjdk8
server: jetty9
handlers:
- url: /admin/.*
script: auto
login: admin
- url: /.*
script: auto
secure: always
env_variables:
JETTY_ARGS: -Djava.util.logging.config.file=WEB-INF/logging.properties
network:
instance_tag: no-ip
name: my-network
subnetwork_name: my-subnet
But I also noticed that the login parameter is deprecated, as mentioned here and here. They mention IAM policies but I'm not sure how I should configure them.
How do I secure the Cloud Scheduler job endpoint to 'admin' only?
