Is it possible to put more fine-grained access control on AppEngine services using Google Cloud IAP (Identity Aware Proxy)?
I have two services A and B, I want some users to be able to access A, and I would like to provide a different list of users who can access service B. I'd like to use IAP to control access.
This is available now.
For each service configured for IAP, you can add and allow specific users to each resource or a selection of resources in the Info Panel.
Role: Cloud IAP > IAP-Secured Web App User
What is not available is enabling/disabling IAP per service.
Unfortunately once IAP is enabled for App Engine, it is enabled for all App Engine services, and you are therefore unable to have one public App Engine service and one IAP-fronted App Engine service.
Where as IAP can be controlled per HTTPS load balancher
I don't know if Google added this since the question was asked, but now it is possible to control access on individual service level:
IAP
Just select the service in the IAP console, and add members to it. You can add allUsers to make the service public (like in this picture)
The only way to do that today is to grant all users of A + B access with IAP, and then do your own additional access control within the service code.
Another way is to organize your applications under different projects.
Project A contains applications accessible to users in group A, Project B contains applications accessible to users in group B.
Related
I am currently working on a web app to list roles and permissions within my GCP organizaton and the different projects.
Here is what I would like to achieve:
I want the user to login when he arrives on the app
When he gets logged in I want a warning to pop up allowing him to delegate access to ressources to my app (like GCP permission)
Once all this is done I want my app to be able to use his gcp account to request permissions through the I'm API.
I know this could be accomplished by using a SAC and impersonnating the user but I would like to avoid it.
I checked IAP documentation but I don't think it would allow me to accomplish what I want.
Would Google sign in or any other kind of process would allow a user to delegate the right to access his GCP?
We have an application (say App-B) that is developed in Python 3.7 standard environment.
This application will be accessed only by another project (application) that is part of GAE.
Do we need to expose the App-B using Google Cloud endpoints to make this happen? If yes, according to the docs here it says we need to secure App-B using IAP.
Can IAP support "application" instead of "users"? How do we go about this?
These are the steps to Setting up Cloud IAP access:
1.Go to the Identity-Aware Proxy page.
2.On the right side panel, next to Access, click Add.
3.In the Add members dialog that appears, add the email addresses of groups or individuals to whom you want to grant the IAP-secured Web
App
4.User role for the project. Members can be:
a.Google Accounts: user#gmail.com
b.Google Groups:
admins#googlegroups.com
c.Service accounts:
server#example.gserviceaccount.com
d.G Suite domains: example.com
Can IAP support "application" instead of "users"? Yes, IAP member can be a service account.
A service account is a special kind of account that belongs to an
application or a virtual machine (VM) instance, not a person.
Applications use service accounts to make authorized API calls.
You can find detailed explanation Enabling Cloud IAP ,Service accounts.
Let's say I'm deploying a GAE Flex app and I want to restrict access to be only internal. Since GAE Flex is just a wrapper on GCE, according to the documentation, in the app.yaml file I can specify a VPC under name which will launch the instance into the specified VPC.
If the VPC is set up to only allow internal access, do I need to do any additional configuration of App Engine firewall rules to ensure this consistency?
More broadly speaking, what does the App Engine Firewall do differently than a VPC's Firewall rules? Does App Engine Firewall override the firewall rules set by a VPC?
With regards to your broader question about the difference between the two, you should bear in mind that VPCs allow for a wider variety of approaches to configuring your internal access, including not just firewall rules and routes but also network tags. The App Engine firewall permits only configuration of an ordered list of rules that can allow or deny access from the specified IP address or ranges.
Both will need to be configured correctly in order to control access and ensure that your application can send and receive traffic in the desired way.
I would encourage you to checkout Cloud Identity-Aware Proxy. It's a free service from GCP.
Cloud IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
When an application or resource is protected by Cloud IAP, it can only be accessed through the proxy by members, also known as users, who have the correct Cloud Identity and Access Management (Cloud IAM) role.
When you grant a user access to an application or resource by Cloud IAP, they're subject to the fine-grained access controls implemented by the product in use without requiring a VPN. When a user tries to access a Cloud IAP-secured resource, Cloud IAP performs authentication and authorization checks.
https://cloud.google.com/iap/
I'm developing an admin page for my webpage. I'm using GAE and security-constraints. I would like to know which role-name are available and how I can define which Google Accounts could access a specific page.
When using Google App Engine, these are the pre-defined roles available:
roles/appengine.appAdmin: The App Engine Admin (read/write/modify access to all the configuration and settings of the app)
roles/appengine.serviceAdmin: The App Engine Service Admin (read-only access to app configuration and settings, write/modify access to module/version-level settings, can't deploy new versions)
roles/appengine.deployer: The App Engine Deployer (read-only access to app configuration and settings, write access to create new versions only, can't modify versions except for deleting those without traffic)
roles/appengine.appViewer: The App Engine Viewer (read-only access to app configuration and settings)
roles/appengine.codeViewer: The App Engine Code Viewer (read-only access to app configuration, settings and deployed source code)
These roles are explained in more detail here.
In order to establish the permissions for accounts to access the application, Google Cloud relies on IAM (Identity and Access Management), where you can create service accounts for accessing the app (as well as define roles for project members, including service accounts and Google accounts).
There are various ways to define permissions for access control, but I would recommend using the Cloud Console for it. Inside the console, go to the IAM page and select the project you want to define access control rules. These are the operations that you can do inside the IAM page:
Add team members (Google or service accounts.
Grant them one or more roles.
Change team member's access.
Revoke access to team members.
You can check this link for further info about how to manage roles and permssions using IAM.
I have an node.js application with a working server2server GMail API communication via an service_account.
Everything works fine.
To be able to communicate with a users account, the G Suite Admin has to grant API Acess to the Client ID of my service_account manually.
As described here:
Impersonating list of users with Google Service Account
with a Marketplace App it would be possible, to grant access only to specific organizationals units (OUs) and it would be more fancy to use (enabling a marketing place app is more user friendly than configuring API Access for ClientID and Scope manually like here:
)
Now my question: Is it possible to provide a Marketplace App only for the purpose to grant API access for my application automatically? Will it get through the review when it has no other purpose? Any other hints on this?
Yes it is a working way to create a marketplace application to grant the API access automatically when the G Suite Admin installs this application.
The only restriction is, that your actual application has to support Google SSO to make it through the review process. So the user must be able to log into your Web Application by clicking on the icon in his G Suite account. If the user has no account in your web app, an account has to be created automatically (trial-account is sufficient)