I would like to have an app deployed in App Engine to display information which are stored in BigQuery or Cloud Storage, but only if the user is authenticated in the webapp AND its permissions as set in IAM allow it.
So far, I can authenticate a user in App Engine through "Google Sign-In" as seen in https://cloud.google.com/appengine/docs/standard/python/oauth/, but those credentials don't seem to relate to those that are set in Cloud IAM.
I've seen how to set credentials for App Engine as a whole though a service account, but that seems to wide.
What I really want is to authenticate users on the web app, and then let IAM decide if those users are allowed to access data or not.
How would you proceed to do that?
Thanks for any help
The authenticating as an end user GCP documentation explains how to limit access to the project's resources using Cloud IAM. It also has a short example about authenticating an end user to call the BigQuery API.
Related
We are migrating part of our web app to a native mobile app (iOS and Android). We store all user info in our own database, including authentication info (username & pwd). We have a REST API for use by mobile apps and are trying to implement that in Google Cloud Endpoints.
We use an API key for identifying the app.
We want to also authenticate each user. The app will request the username and pwd and then pass that through the REST API. Our backend will confirm (by looking up the username/pwd in the db) if the user is valid. Ideally, at this point we would return a JWT.
Can this be done? The GCE documentation talks about authenticating Google users, and Facebook users. We don't want that. We don't want to use Firebase (unless a custom mechanism can be set up to authenticate). We will manage accounts. We will check if the username and pwd provided (through the app) identifies a valid user.
In trying to use a backend based on Google App Engine Standard and ESPv2, the documentation states that IAP must be enabled. IAP appears to authenticate users in a way we don't want. We want to authenticate users based on the username and pwd they provide and that we manage. Can this be done?
Any pointers would be greatly appreciated.
Thank you.
I read this page: https://cloud.google.com/appengine/docs/ssl
What I'm wondering: When you create a Google Apps for Work account to get a certificate, does the same user need to 'own' the Google Cloud Platform account where the appengine is running?
And who should be the 'owner' of Cloud DNS?
In many cases, the programmer is not part of the company, so he doesn't have a google apps user account. Or is sharing access of the Cloud Platform enough to get SSL.
Regards, Peter
Note: GAE SSL on custom domains is about to break free of Google Apps, which may significantly change the context for your question and answer(s). See https://support.google.com/a/answer/2644334:
Currently the Google Apps SSL configs only map certificates to the custom domain URLs, regardless of those URLs being served by GAE apps or not, so app ownership identity shouldn't matter. But this needs to be done by a Google Apps Admin.
For now Google Apps Admins can still map custom domain URLs to GAE apps (unclear if they need to own the apps, the above note suggest they might not need to) - which will change after the migration to the Developer Console.
Both the Google Apps Admin or the GAE app owner can perform the app mapping to a custom domain URL (via the Apps Admin console or the Developer Console, respectively) provided they pass the domain ownership verification (the actual Cloud DNS owner doesn't matter technically).
The page you read links to a more detailed documentation for Google Apps, where you can find this :
To add your application to the Google Apps account, the account
administrator’s sign-in account (email address) should be an owner of
the app. This is set in the Google Cloud Platform documentation under
Permissions.
So the admin user who enables SSL on Google Apps must also be an owner of the Google Cloud Platform project.
Who owns the DNS settings (be it Google Cloud DNS or any other DNS service) is independent : it doesn't have to be the same person.
I am really fed up. All I see the Google App Engine tutorial was just making the example on how to authenticate without password. What if I want to authenticate directly from my gmail account, how can I do it???
User the google provided users service which can use your google account for auth.
https://developers.google.com/appengine/docs/python/gettingstarted/usingusers
Google App Engine provides several useful services based on Google infrastructure, accessible by applications using libraries included with the SDK. One such service is the Users service, which lets your application integrate with Google user accounts. With the Users service, your users can use the Google accounts they already have to sign in to your application.
So now Google released the multi-tenant feature for gae.
Assuming i am going to implement a google app engine application and put it on google apps market place.
suppose www.doma.com and www.domb.com bought the application.
can usera from doma and userb from domb authenticate to this application with their google apps domain username (in other words) can usera#doma and userb#domb use authenticate with gae?
Thanks in advance
Google does not limit users when they go through OpenID or Google Accounts authentication procedure, your code should do this. After user is authenticated control is handed back to your code - at this point you should check users data and decide to pass the request through or not.
Also, if you want to use doma.com and domb.com as your domain names on GAE you need to own this domains and create separate Google Apps account for each of them. This means that random user cannot have user#doma.com email address (unless you manually created an account for them on Google Apps).
Applications that run inside the Google App Engine can use Google Accounts for user authentication. I already used this feature and it works great. I just want to know how this is working. Is there a HTTP cookie created? How can an application inside the GAE see that a user is logged in?
The AppEngine SDK takes care of the details for you, but essentially it generates the equivalent of an OAuth request to the Google Account service. All interactions with the login process go through the Google Account service (and thus the cookies it uses for session tracking are not available to the individual app).