Add firewalls to IAP secured App Engine app with Member: allUsers granted 'IAP-secured Web App User'

0
votes

I have multiple App Engine Services in the same Google project. My wish is to enable IAP for some of the services and not others (in the same project), however, I know that this is not possible. For the services that I ideally don't want IAP enabled for, I don't want to just open it up to the whole internet by granting allUser the IAP-secured Web App User role. I still would like some sort of IP restrictions on who can access the resources. However, Google clearly says in the docs (https://cloud.google.com/iap/docs/managing-access),

Currently, bindings that grant public access can't have a condition associated with it. For example, a policy that allows anyone access to a resource if the request path starts with /public/ is invalid.

The users of this app will be external clients, and so I would ideally not like to go through the process of giving them service account and credential files and sharing with them code to generate an OIDC token.

That being said, is there any work around to still add IP restrictions??

2
google-app-enginegoogle-cloud-platformidentity-aware-proxygoogle-cloud-identity-aware-proxy

2 Answers

2
votes

I have an additional workaround. You can activate IAP on the service that you want. For the others, you can do this

  • Create a Global HTTPs load balancer
  • For each App Engine service that you want to not protect by IAP but with IP filtering
    • Grant allUser the IAP-secured Web App User
    • Create a backend service on the Load Balancer
    • Create a backend of type serverless Network Endpoint Group add attach your App Engine service to it
    • Create a Cloud Armor policy that filter the IP source of the requests and add it to your backend. You can reuse the same policy or create a new one for each backend (and thus per App Engine service)
1
votes

The solution you've been looking for has been an open public issue for a while now so I have to set your expectations about this feature.

However, there is a workaround discussed from this thread where you should split your services and deploy it into separate projects, then use the Firewall Rules (or enable IAP) from there.