I have a frontend project and a backend project. These are 2 separate app engine projects.
Setting up IAP on both is not problem but when my frontend project tries to call the backend project it is blocked.
Is there anyway to have access allowed to the backend project when the user passes the frontend IAP ? or do I have to leave the backend project without IAP enabled ?
You have to programmatically invoke (make the call using an OIDC token) to the backend from your front end. See documentation on how to do that.
There are misunderstandings. Let me clarify.
Firstly, your App Engine is highly scalable in a single project. Instead of having several projects with several App Engine, you should have only one project, with a single App Engine and multiple services.
Default is usually used for the frontend part. You can use an API service for your backend, or name it as you wish.
Like that, the whole website will be protected by the same IAP context. Like that, no issue as you have before, it's the same IAP cookies and the API calls should not create issues.
Secondly, keep in mind that your JS code runs in the client browser, not on App Engine; App Engine only serves the static files, that's all. All the rest of the computation is performed locally.
Related
I have a relatively small Java app, which I'd like to move over to the Google App Engine. It runs in the console, with no user input needed after the initial startup. I researched a bit on how to deploy it, but all tutorials seem to focus on Java web apps, when I don't really need that. Is it possible to deploy my app if it's not a web app?
App Engine is probably the wrong GCP platform for you - you'd probably be better served just deploying your jar directly onto a Google Compute Engine node. GAE is pretty explicitly oriented around web applications and you'd need to do a bunch of configuration in order to have it work for your use case.
Does your non-web Java app handle web requests? If not, it seems difficult to imagine that you would be able to reach your deployed app and use it for any purpose, once deployed. Your Java app should be able to handle requests, to make deployment worthwhile, and the deployed app useful.
You may find out about how your app should handle requests by reading the How Requests are Handled documentation page.
I've been trying to do this for a while, but I'm confused as to the difference between the two applications.
I know that endpoints helps you expose an API and generate the client libraries that allow you to interact with your Android app.
But in the examples, it seems as though endpoints is the only code you write for the backend at all.
I thought that app engine was what the actual application ran on - that is, do I need a separate project with the app engine backend, then my android studio project with the Android app and the endpoints API, or does writing the endpoints API also serve as the app engine backend?
The endpoints backend API is just a piece of a GAE app functionality.
If you only have that functionality in your app you can extend it by adding the desired stuff to the existing app.yaml file (and the related app code), you don't have to create a new app. Especially if the endpoints functionality and the additional desired functionality are related.
You can also add endpoints backend support to an existing GAE app by merging the endpoints backend app.yaml content into the existing app's app.yaml file and adding the class file and API server file to the app's code.
How do I ensure that only a specific Google App Engine project can communicate with another web endpoint located in an other GAE Project.
I want to lock communication between App Engine Projects.
What would be the best way to accomplish this ?
The best way would be to make use of the request header X-Appengine-Inbound-Appid within your App Engine web endpoint application to assert the identity of your specific App Engine app that should be allowed to communicate. This header is added to the request by the URLFetch service and is not user modifiable.
Detail documentation can be found at https://cloud.google.com/appengine/docs/python/appidentity/#Python_Asserting_identity_to_other_App_Engine_apps
Not tested, but I thought application itself is admin, so how about like this?
Add login: admin to all handlers in app.yaml
Go to Google Developer Console, project -> Permissions, then Add project account which you want to communicate with into service accounts.
I hope it works.
I'm developing a Java app in GAE, which offers an API through Google Cloud Endpoints.
Basically it receives requests in the endpoints and uses a number of web services from different providers, stores some data and returns some data through the endpoints...
I understand that my app is conceptually a backend, because it doesn't provide any web page, but only the endpoints, don't you think so?
But there's no way to create only a backend, without being associated to any frontend app, is there? At least Google Plugin for Eclipse only allow you to "Generate App Engine Backend", from an existing app, and moreover this app must be an Android project...
I'm using it as a frontend and there's no problem, but apart from the conceptual issue, I've read that backends are kind of optimized to be backends, with more memory and CPU...
I think you're just confused because the Cloud Endpoints documentation uses the word 'backend' to refer to the entire cloud-hosted server implementation. It doesn't specifically refer to the use of GAE backend instances. Endpoint requests can be served by frontend or backend instances, based on how you set them up and the url being accessed.
From the App Ending docs:
"When an application is called to serve a web request, it must issue a response within 60 seconds"
"App Engine Backends are instances of your application that are exempt from request deadlines and have access to more memory (up to 1GB) and CPU (up to 4.8GHz) than normal instances."
So unless you're requests are doing something crazy, you don't need to use a backend. In the google-plugin-for-eclipse, "generate appengine backend" is talking about creating a backend for your android app... a server for your android app to contact (in this case your android app is the frontend and you're appengine app is the backend). In the example app you can remove the web side (index.html) to the appengine application and you'll have no web frontend. Index.html is using the gapi javascript library to make endpoints calls to your appengine service.
I've been developing a GWT project which uses Google APIs authorized by the App Identity API. This way, I can authorize my application backend to exploit the APIs needing authorization (e.g. Calendar, Mail, etc). I want to keep control of the data, I don't want users to need their authorization for the personal data.
It is very useful to use the hosted mode to develop GWT apps. But as far as I know, you won’t be able to hit the real calendar API using OAuth while running in hosted mode because the GAE dev server doesn’t simulate the Application Identity API.
But how about the other APIs? Has anyone used this approach? Can I simply create a mock for the Identity API and work with Calendar Java API in hosted mode?
It is unclear to me how to work around this problem. Any help would be greatly appreciated.
How about you create a Calendar Stub class.
In case you are running in the production environment,
the Stub class calls the Google API using the App Identity API.
In case you are running in the developer environment,
the Stub class calls a secret handler in your production app,
which then calls the Google API using the App Identity API.
All you basically need to create is a proxy handler in your production app.
You can have a shared secret between the dev and the prod environment
and use https to communicate.