I would like to set separate permissions for different applications that run on GCP AppEngine.
I think, that the way to do this is by using specialized service accounts for each application.
As far as I understand, all applications run with the AppEngine default service account project#appspot.gserviceaccount.com
Is there a way to explicitly set a service account for an application which is running on AppEngine in GCP? Then I would be able to create separate service accounts with fine access restrictions.
tldr; you can do gcloud beta app deploy --service-account=<your_service_account> app.yaml
AppEngine app's identity are not restricted to the AppEngine default service account anymore. You can deploy with custom service account for each AppEngine app now by following https://cloud.google.com/appengine/docs/standard/python/user-managed-service-accounts#app.yaml.
This works for both AppEngine Standard and Flexible.
I am assuming you mean App Engine Standard. You only have one App Engine Standard per project.
You can have multiple services under App Engine.
You will need to create a service account and then load the service account inside your code. You can then change the default service account to have the minimum permissions required to function. Make sure you research what you are doing before changing permissions. You can break App Engine by being too restrictive.
However, that brings up security issues on how you manage and distribute the service account keys.
If you mean App Engine Flexible. Google does not even show the Flexible service account in the console as Google does not want you to modify it.
You have to just add the following code in your app.yaml file
service_account: {SERVICE_ACCOUNT_YOU_WANT_TO_USE_TO_ACCESS_APP_ENGINE}
Related
I have an application deployed to an app engine service. I have many services under the same app engine. How can I make the application available to certain white-listed IPs? In other words, I want this application to accept requests from certain IPs and deny all other request?
Can we do this by writing some configurations in app.yaml file?
Note: I just want to apply the rule to one service only so that other services will not be affected.
Applying this kind of restriction at a service level is, at the moment, not possible.
The best option would be to deploy the services you want to protect on a different project, and use the App Engine firewall there.
I have a situation where an existing GAE App (let's call it app A) is running, but for non-technical reasons can't be modified. As users migrates to a new client version, we need to migrate their data from app A to a new GAE app (which I'll call app B).
Is there a way that I can grant app B access to app A's live datastore without modifying app A? My not modifying I mean not having to deploy new code. Changing setting or permissions in the Cloud Console is fine.
In case it matters, both apps that I'm referring to are written in Go.
It might not be possible to share the datastore across multiple GAE apps using the Google App Engine Standard Environment Client Libraries. At least for python it's not possible, donno about go.
But the Cloud Datastore Client Libraries can be used to share a datastore across many apps, even from outside Google Cloud.
Regardless of the particular way the old app accesses the datastore (language/library/etc.) it can be configured from the Cloud Console to allow access to a remote app. The exact procedure steps are captured in How do I use Google datastore for my web app which is NOT hosted in google app engine?
The new app would be using the above-metioned client library with the old app's service account credentials (obtained in the above paragraph procedure) to access the old app's datastore.
I have been trying to find a solution to accessing a datastore in one project from a different google app engine project. I went through the tutorial on accessing a datastore from a different project's compute engine, however, this is not what I am looking for. What is required here is accessing a datastore on one project from a different app engine project. Has anyone done this successfully? Any ideas?
Cheers
As #Patrice says, this is possible by using the Remote API for Java (or for Python), which lets you access different App Engine services from any other application, as stated in the documentation.
For a more specific information on how to access the Datastore remotely with the Remote API, please take a look at this article from the documentation that explains step by step all the procedure.
Please, take into account that if your Google account is configured to use 2-Step Verification, you will need an App Password that authorizes the app to access your account resources.
there is actually an API that lets you make calls to App Engine services from anywhere, even from another App, as long as the credentials are ok, it's called the "remote API"
How do I ensure that only a specific Google App Engine project can communicate with another web endpoint located in an other GAE Project.
I want to lock communication between App Engine Projects.
What would be the best way to accomplish this ?
The best way would be to make use of the request header X-Appengine-Inbound-Appid within your App Engine web endpoint application to assert the identity of your specific App Engine app that should be allowed to communicate. This header is added to the request by the URLFetch service and is not user modifiable.
Detail documentation can be found at https://cloud.google.com/appengine/docs/python/appidentity/#Python_Asserting_identity_to_other_App_Engine_apps
Not tested, but I thought application itself is admin, so how about like this?
Add login: admin to all handlers in app.yaml
Go to Google Developer Console, project -> Permissions, then Add project account which you want to communicate with into service accounts.
I hope it works.
I am developing an google app engine java application with google cloud sql and google cloud storage.
I want to deploy the same code on multiple app engine applications and share google cloud storage files and buckets on each app engine application. Every application can read and write into same bucket. How can I do this? I don't want to make the buckets with public access.
How can I create a bucket pragmatically in java to share same code across all google app engine applications so that each application can use it?
Your app engine apps are running as a special "service account" associated with their projects. That account can be granted permissions just like any other. If you grant all of the service accounts full control of all of the buckets and objects, they will be able to use those buckets just as if they are the owners.
To find the service account, go to the app engine console and choose the "application settings" page. The name of the service account is printed there.
Now, using the cloud console or gsutil, grant full control to that account. If you want, you can also add it to the "default object ACL", to make sure that new objects created within that object will, by default, grant full control to all of the appropriate accounts.