I want to upgrade my Java App Engine Standard app to App Engine Flexible and I am wondering what is the best solution to secure certains URLs (e.g. /admin/*).
In Standard I used in web.xml to restrict access to certain paths to users from AIM (https://console.cloud.google.com/iam-admin/iam):
<security-constraint>
<web-resource-collection>
<web-resource-name>users</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
As mentioned in the upgrade notes:
The secure setting under handlers is now deprecated for the App Engine
flexible environment.
What is the best solution to secure URLs with user and roles from AIM, so with permissions I already defined there?
I think Cloud Identity-Aware Proxy (IAP) [1] would be a good solution for you:
Cloud Identity-Aware Proxy (Cloud IAP) lets you manage access to applications running in App Engine standard environment, App Engine flexible environment, Compute Engine, and Kubernetes Engine. Cloud IAP establishes a central authorization layer for applications accessed by HTTPS, so you can adopt an application-level access control model instead of using network-level firewalls.
Check this page to manage user access [2]:
This page describes how to manage individual or group access to Cloud Identity-Aware Proxy (Cloud IAP)-secured resources at the resource level.
You can use projects.testIamPermissions to check the permissions the user currently has, and deny/allow access from there. For example:
test_iam_permissions_request_body = {
"permissions": [
"resourcemanager.projects.get"
]
}
will return resourcemanager.projects.get if the user has that permission, and empty if not. This way you can still use the users/roles defined in IAM to allow access.
Unfortunately, this is no longer possible with just a configuration. As you can see in the documentation
"Note that because the Users service is not available, it is not possible to use app.yaml to make URLs accessible only by administrators. You will need to handle this logic within your application."
You will need to handle this with application code (check the authenticated user and then allow or deny him access).
Related
We have an application (say App-B) that is developed in Python 3.7 standard environment.
This application will be accessed only by another project (application) that is part of GAE.
Do we need to expose the App-B using Google Cloud endpoints to make this happen? If yes, according to the docs here it says we need to secure App-B using IAP.
Can IAP support "application" instead of "users"? How do we go about this?
These are the steps to Setting up Cloud IAP access:
1.Go to the Identity-Aware Proxy page.
2.On the right side panel, next to Access, click Add.
3.In the Add members dialog that appears, add the email addresses of groups or individuals to whom you want to grant the IAP-secured Web
App
4.User role for the project. Members can be:
a.Google Accounts: user#gmail.com
b.Google Groups:
admins#googlegroups.com
c.Service accounts:
server#example.gserviceaccount.com
d.G Suite domains: example.com
Can IAP support "application" instead of "users"? Yes, IAP member can be a service account.
A service account is a special kind of account that belongs to an
application or a virtual machine (VM) instance, not a person.
Applications use service accounts to make authorized API calls.
You can find detailed explanation Enabling Cloud IAP ,Service accounts.
Let's say I'm deploying a GAE Flex app and I want to restrict access to be only internal. Since GAE Flex is just a wrapper on GCE, according to the documentation, in the app.yaml file I can specify a VPC under name which will launch the instance into the specified VPC.
If the VPC is set up to only allow internal access, do I need to do any additional configuration of App Engine firewall rules to ensure this consistency?
More broadly speaking, what does the App Engine Firewall do differently than a VPC's Firewall rules? Does App Engine Firewall override the firewall rules set by a VPC?
With regards to your broader question about the difference between the two, you should bear in mind that VPCs allow for a wider variety of approaches to configuring your internal access, including not just firewall rules and routes but also network tags. The App Engine firewall permits only configuration of an ordered list of rules that can allow or deny access from the specified IP address or ranges.
Both will need to be configured correctly in order to control access and ensure that your application can send and receive traffic in the desired way.
I would encourage you to checkout Cloud Identity-Aware Proxy. It's a free service from GCP.
Cloud IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
When an application or resource is protected by Cloud IAP, it can only be accessed through the proxy by members, also known as users, who have the correct Cloud Identity and Access Management (Cloud IAM) role.
When you grant a user access to an application or resource by Cloud IAP, they're subject to the fine-grained access controls implemented by the product in use without requiring a VPN. When a user tries to access a Cloud IAP-secured resource, Cloud IAP performs authentication and authorization checks.
https://cloud.google.com/iap/
I have a rest API hosted in Google App Engine. (API lives in a Docker container in the Flexible environment).
I need to support only internal API calls (from another service in the same App Engine Project) and for developer testing be able to call it directly (I don't want user authentication, but I should be able to access it still using the application_default_credentials...I'm just unsure how)
Can you direct me to documentation or examples of how to set this up?
The Google documentation is very lacking.
You have several options, including the following:
The App Engine documentation states that the recommended approach is OAuth for microservices that require authentication.
A second option is to use Cloud Endpoints with service account authentication.
Third, you can use Identity-Aware Proxy to secure the server. Clients can get an identity token from the metadata server.
I was learning about IAP in GCP, which is used for authentication and authorization to GCP hosted apps.
Thoughts
Even before IAP was introduced in GCP, users could be authenticated and authorized using login credentials and google IAM policies.
Okay, IAP replaces VPN, users can work from untrusted networks.
Query
Please correct me if i am thinking wrong.
But if my app./resource is hosted in GCP, than it is accessible publicly with proper authentication and authorization, there is obviously no need of VPN. In this scenario, what is the significance of IAP.
What is the new thing in IAP, as IAP also does the same thing for authentication and authorization?
You wouldn't technically need IAP if you've already got an app which is secured with proper authentication and authorization, though it still may be desirable. One reason is that IAP gives you the ability to configure individual access outside of your application, rather than needing to control ACLs internally in your app's code. The App Engine IAP quickstart has a good overview of how IAP config works for securing an app.
You can think of IAP as filling the role of a VPN while also giving you the flexibility of OAuth. It is mainly targeted towards perimeter security which is traditionally accomplished by using firewalls and VPNs to secure privileged network resources like intranets which are hosted on premises. IAP allows you to set up a cloud-hosted intranet in much the same way as you'd do on-premises, with access control handled at the perimeter by IAP. This is explained very well in the Google research paper "BeyondCorp - A New Approach to Enterprise Security".
I read this page: https://cloud.google.com/appengine/docs/ssl
What I'm wondering: When you create a Google Apps for Work account to get a certificate, does the same user need to 'own' the Google Cloud Platform account where the appengine is running?
And who should be the 'owner' of Cloud DNS?
In many cases, the programmer is not part of the company, so he doesn't have a google apps user account. Or is sharing access of the Cloud Platform enough to get SSL.
Regards, Peter
Note: GAE SSL on custom domains is about to break free of Google Apps, which may significantly change the context for your question and answer(s). See https://support.google.com/a/answer/2644334:
Currently the Google Apps SSL configs only map certificates to the custom domain URLs, regardless of those URLs being served by GAE apps or not, so app ownership identity shouldn't matter. But this needs to be done by a Google Apps Admin.
For now Google Apps Admins can still map custom domain URLs to GAE apps (unclear if they need to own the apps, the above note suggest they might not need to) - which will change after the migration to the Developer Console.
Both the Google Apps Admin or the GAE app owner can perform the app mapping to a custom domain URL (via the Apps Admin console or the Developer Console, respectively) provided they pass the domain ownership verification (the actual Cloud DNS owner doesn't matter technically).
The page you read links to a more detailed documentation for Google Apps, where you can find this :
To add your application to the Google Apps account, the account
administrator’s sign-in account (email address) should be an owner of
the app. This is set in the Google Cloud Platform documentation under
Permissions.
So the admin user who enables SSL on Google Apps must also be an owner of the Google Cloud Platform project.
Who owns the DNS settings (be it Google Cloud DNS or any other DNS service) is independent : it doesn't have to be the same person.