I am testing Google IAP on an Appengine project.
This project consit of 3 services (formerly known as modules).
Each one represent an environment (default is dev, staging and prod).
My problem is that only one resource is listed in the IAP menu:
The one corresponding to the defaulf version of the default service.
How can I consider other services/version when using Google IAP ?
Thx!
Unfortunately, you can't set access permissions at the service level. IAP only applies at the GAE App level and or GCE backend service.
From a best practices perspective, Dan is correct. You generally want to have separate projects for each environment.
Related
I would like to set separate permissions for different applications that run on GCP AppEngine.
I think, that the way to do this is by using specialized service accounts for each application.
As far as I understand, all applications run with the AppEngine default service account project#appspot.gserviceaccount.com
Is there a way to explicitly set a service account for an application which is running on AppEngine in GCP? Then I would be able to create separate service accounts with fine access restrictions.
tldr; you can do gcloud beta app deploy --service-account=<your_service_account> app.yaml
AppEngine app's identity are not restricted to the AppEngine default service account anymore. You can deploy with custom service account for each AppEngine app now by following https://cloud.google.com/appengine/docs/standard/python/user-managed-service-accounts#app.yaml.
This works for both AppEngine Standard and Flexible.
I am assuming you mean App Engine Standard. You only have one App Engine Standard per project.
You can have multiple services under App Engine.
You will need to create a service account and then load the service account inside your code. You can then change the default service account to have the minimum permissions required to function. Make sure you research what you are doing before changing permissions. You can break App Engine by being too restrictive.
However, that brings up security issues on how you manage and distribute the service account keys.
If you mean App Engine Flexible. Google does not even show the Flexible service account in the console as Google does not want you to modify it.
You have to just add the following code in your app.yaml file
service_account: {SERVICE_ACCOUNT_YOU_WANT_TO_USE_TO_ACCESS_APP_ENGINE}
I have an application deployed to an app engine service. I have many services under the same app engine. How can I make the application available to certain white-listed IPs? In other words, I want this application to accept requests from certain IPs and deny all other request?
Can we do this by writing some configurations in app.yaml file?
Note: I just want to apply the rule to one service only so that other services will not be affected.
Applying this kind of restriction at a service level is, at the moment, not possible.
The best option would be to deploy the services you want to protect on a different project, and use the App Engine firewall there.
Is there a way to deploy "internal facing" applications in Google App Engine. AWS offers this capability as explained here and so does Azure as explained here.
What is the GCP equivalent for this? It appears App Engine Flexible Environment could be the answer but I could not find a clear documentation on whether Flexible Environment is indeed the way to host intranet facing applications. Is there someone from GCP who can advise?
Update
I tested the solution recommended by Dan recently. Listed below are my observations:
App Engine Flex allows deploying to a VPC and this allows VPN scenarios. The VPN scenarios however is for connections (originating) from App Engine to GCP VPCs or to other networks outside GCP which can be on-prem or in another cloud.
Access (destined) to the app itself from a GCP or another network is always routed via the internet facing Public IPs. There is no option to access the app at a private IP at the moment.
If there's another update, I will update it here.
Update 28Oct2021
Google has now launched Serverless Network Endpoint Group(NEG)s. With this users can connect AppEngine, Cloud Run & Cloud Function endpoints to a LoadBalancer. However at the moment, you can only use Serverless NEGs with an external HTTP(S) load balancer. You cannot use serverless NEGs with regional external HTTP(S) load balancers or with any other load balancer types. Google documentation for Serverless NEGs is available here.
I'm not sure this meets your requirements, but it's possible to set up an App Engine Standard application (not certain about Flexible) such that it is only accessible to users logged into your G-Suite domain. This is the approach I've used for internal-facing applications in the past, but it only applies if your case involves an entity using G-Suite.
You can set this up under the App Engine application Settings, under Identity Aware Proxy.
In this scenario the application is still operating at a publicly accessible location, but only users logged into your G-Suite domain can access it.
It should be possible with the GAE flexible environment. From Advanced network configuration:
You can segment your Compute Engine network into subnetworks. This
allows you to enable VPN scenarios, such as accessing databases within
your corporate network.
To enable subnetworks for your App Engine application:
Create a custom subnet network.
Add the network name and subnetwork name to your app.yaml file, as specified above.
To establish a VPN, create a gateway and a tunnel for a custom subnet network.
The standard env GAE doesn't offer access to the networking layer to achieve such goal.
I'm finding alternatives for Google App Engine for startup. The preconfigured service hosting include security, networking, scaling, database, backup, application, maturity and etc.. Because we have no experts on each parts. It's too hard operating whole service stack properly for only one application programmer.
What other services can I consider for this?
The term you want to search for is PaaS or Platform-as-a-Service. I do not claim to be an expert in this nacent field, however my basic understanding of the key players other than Google App Engine are:
Amazon AWS - My understanding is that Amazon's Web Services gives you bare-bones OS installs that you can completely own. While this allows for more configuration than App Engine, this also means you are on the hook for patching security holes and what not. (Right?)
Heroku - App Engine type functionality, except for Ruby
AppHarbor - App Engine type functionality, except for .NET
Microsoft Azure - Amazon AWS type functionality, except for Windows/The Microsoft stack.
The CloudCamp awards 2011 serves as a nice list of PaaS services
Actualy, It's a couple of questions:
Is it possible to somehow avoid registering google apps if I just want to connect google app engine applications to non-naked domain (www.example.com for example:)
If described above is impossible, than do I have a right to register Google Apps Education Edition. And how can I proof that I'm non-profit if I'm not US resident?
If I need to connect a couple of domains to a couple of google app instances must I use a couple of google appss as well?
Here is a couple of answers:
No, Google App Engine uses Google Apps to manage domains. See the Deploying your Application on your Google Apps URL article.
Yes, if you are a School or University as explained here. If you aren't, why don't you just go for the Standard Edition?
Yes, for a couple of domains and a couple of GAE instances, you'll need a couple of Google Apps AFAIK. But this shouldn't be an issue as the Google Apps Standard Edition is free. No. As pointed out by Nick, you can add multiple domains to an Apps account as aliases, then map them to different App Engine apps.
Edit: The 3rd answer has been updated with the input provided by Nick Johnson in a comment.
With the the (new?) developer console it is possible add domains to apps for free without using Google Apps. But you will not be able to use HTTPS without registering the domain with Google Apps.
So the answer to the first question is "Yes" (presuming TLS is not required). The second question is not relevant. And as for the third question, multiple domains can be linked with the same application (without using Google Apps).
Select your project in the developer console (https://console.developers.google.com/project)
Navigate the side menu to access App Engine domain settings (App Engine -> Settings)
After verifying your domain (which may take some time) you can add the domain to the app.
I can't currently find Google-blessed documentation to support this. But I am currently serving an App Engine application on a domain that is not registered with Google Apps.
Another option commonly used is to use a reverse proxy to map customer domains to your AppEngine app. I'm using this because I can't add them as Google Apps domain aliases on my primary domain, since some customers run Google Apps by their own.
Details here: http://devblog.ronoaldo.net/2013/09/mapping-multiple-domains-to-google.html