We have an application (say App-B) that is developed in Python 3.7 standard environment.
This application will be accessed only by another project (application) that is part of GAE.
Do we need to expose the App-B using Google Cloud endpoints to make this happen? If yes, according to the docs here it says we need to secure App-B using IAP.
Can IAP support "application" instead of "users"? How do we go about this?
These are the steps to Setting up Cloud IAP access:
1.Go to the Identity-Aware Proxy page.
2.On the right side panel, next to Access, click Add.
3.In the Add members dialog that appears, add the email addresses of groups or individuals to whom you want to grant the IAP-secured Web
App
4.User role for the project. Members can be:
a.Google Accounts: user#gmail.com
b.Google Groups:
admins#googlegroups.com
c.Service accounts:
server#example.gserviceaccount.com
d.G Suite domains: example.com
Can IAP support "application" instead of "users"? Yes, IAP member can be a service account.
A service account is a special kind of account that belongs to an
application or a virtual machine (VM) instance, not a person.
Applications use service accounts to make authorized API calls.
You can find detailed explanation Enabling Cloud IAP ,Service accounts.
Related
I'm developing an admin page for my webpage. I'm using GAE and security-constraints. I would like to know which role-name are available and how I can define which Google Accounts could access a specific page.
When using Google App Engine, these are the pre-defined roles available:
roles/appengine.appAdmin: The App Engine Admin (read/write/modify access to all the configuration and settings of the app)
roles/appengine.serviceAdmin: The App Engine Service Admin (read-only access to app configuration and settings, write/modify access to module/version-level settings, can't deploy new versions)
roles/appengine.deployer: The App Engine Deployer (read-only access to app configuration and settings, write access to create new versions only, can't modify versions except for deleting those without traffic)
roles/appengine.appViewer: The App Engine Viewer (read-only access to app configuration and settings)
roles/appengine.codeViewer: The App Engine Code Viewer (read-only access to app configuration, settings and deployed source code)
These roles are explained in more detail here.
In order to establish the permissions for accounts to access the application, Google Cloud relies on IAM (Identity and Access Management), where you can create service accounts for accessing the app (as well as define roles for project members, including service accounts and Google accounts).
There are various ways to define permissions for access control, but I would recommend using the Cloud Console for it. Inside the console, go to the IAM page and select the project you want to define access control rules. These are the operations that you can do inside the IAM page:
Add team members (Google or service accounts.
Grant them one or more roles.
Change team member's access.
Revoke access to team members.
You can check this link for further info about how to manage roles and permssions using IAM.
Is it possible to put more fine-grained access control on AppEngine services using Google Cloud IAP (Identity Aware Proxy)?
I have two services A and B, I want some users to be able to access A, and I would like to provide a different list of users who can access service B. I'd like to use IAP to control access.
This is available now.
For each service configured for IAP, you can add and allow specific users to each resource or a selection of resources in the Info Panel.
Role: Cloud IAP > IAP-Secured Web App User
What is not available is enabling/disabling IAP per service.
Unfortunately once IAP is enabled for App Engine, it is enabled for all App Engine services, and you are therefore unable to have one public App Engine service and one IAP-fronted App Engine service.
Where as IAP can be controlled per HTTPS load balancher
I don't know if Google added this since the question was asked, but now it is possible to control access on individual service level:
IAP
Just select the service in the IAP console, and add members to it. You can add allUsers to make the service public (like in this picture)
The only way to do that today is to grant all users of A + B access with IAP, and then do your own additional access control within the service code.
Another way is to organize your applications under different projects.
Project A contains applications accessible to users in group A, Project B contains applications accessible to users in group B.
I read this page: https://cloud.google.com/appengine/docs/ssl
What I'm wondering: When you create a Google Apps for Work account to get a certificate, does the same user need to 'own' the Google Cloud Platform account where the appengine is running?
And who should be the 'owner' of Cloud DNS?
In many cases, the programmer is not part of the company, so he doesn't have a google apps user account. Or is sharing access of the Cloud Platform enough to get SSL.
Regards, Peter
Note: GAE SSL on custom domains is about to break free of Google Apps, which may significantly change the context for your question and answer(s). See https://support.google.com/a/answer/2644334:
Currently the Google Apps SSL configs only map certificates to the custom domain URLs, regardless of those URLs being served by GAE apps or not, so app ownership identity shouldn't matter. But this needs to be done by a Google Apps Admin.
For now Google Apps Admins can still map custom domain URLs to GAE apps (unclear if they need to own the apps, the above note suggest they might not need to) - which will change after the migration to the Developer Console.
Both the Google Apps Admin or the GAE app owner can perform the app mapping to a custom domain URL (via the Apps Admin console or the Developer Console, respectively) provided they pass the domain ownership verification (the actual Cloud DNS owner doesn't matter technically).
The page you read links to a more detailed documentation for Google Apps, where you can find this :
To add your application to the Google Apps account, the account
administrator’s sign-in account (email address) should be an owner of
the app. This is set in the Google Cloud Platform documentation under
Permissions.
So the admin user who enables SSL on Google Apps must also be an owner of the Google Cloud Platform project.
Who owns the DNS settings (be it Google Cloud DNS or any other DNS service) is independent : it doesn't have to be the same person.
I have registered a domain when I was registering Google App for business.
I'm just wondering if I could let that domain point to my server instead of Google site?
If not, how can I release the domain and register it(the same name) from some other domain name provider?
You can associate your purchased domain with your App Engine application. Go to the Admin Console and then Application Settings. You will see a Domain Setup section. Click on Add Domain and follow the steps. For further details, check out the instructions.
Yes, you can manage your DNS records even if you bought the domain as part of the Google Apps sign up. In case you don't want to host your website on Google App Engine or Google Sites you can access the DNS credentials for your assigned provider (Enom, GoDaddy) at Domains -> Advanced DNS Settings from there you should login to your provider console in order to change the settings.
https://support.google.com/a/answer/54693?hl=en
If you want to transfer to another provider, follow the standard procedure that each provider has, it usually requires so email confirmation back and forth. Also, make sure not to renew your domain automatically in the Google Apps admin console, otherwise you may be billed twice for the domain.
Now that Google is offering DNS-as-a-service in the Cloud Platform I wonder when they will end the partner DNS hosting and manage it themselves from end to end.
Looking for the best current approach for admins of a Google Apps domain to modify the permissions of a Google Drive object owned by other users. I'll be developing the app on Google App Engine.
It was straightforward using 2 legged OAuth and the Google Documents List API: https://developers.google.com/gdata/docs/auth/oauth#2LeggedOAuth but now that Google Drive SDK is the live API, I see that service accounts are the encouraged method: Does google Drive api support 2 legged oauth? and https://developers.google.com/accounts/docs/OAuth2ServiceAccount . So I'm following an example that uses this approach and the Prediction API: https://developers.google.com/appengine/articles/prediction_service_accounts and you cannot use the GAE service account in the Team section of the API console. Get an error: "User xxx#appspot.gserviceaccount.com may not be added to project "New Proj Name". Only members from domain myappsdomain.com may be added.
So, I'm basically asking:
1) How do you use service accounts with Google Drive SDK for admin tasks like changing permissions
2) And any working GAE service account tutorials using the Drive API that work with non-domain users.
The documentation about Service Accounts and user impersonation has just been added:
https://developers.google.com/drive/service-accounts
https://developers.google.com/drive/user-impersonation
Unfortunately, App Engine Service Accounts are not supported by Google Drive yet.