We have an App Engine application build in Python using Endpoints. Access to it is restricted.
We have software that connects with the App Engine using a service account. With this service account we can also access Google Cloud Storage to create buckets.
Now we want to allow access to the App Engine (and not the Cloud Storage) for specific clients who will write their own software. So their software will be their end-user.
What do we have to create and share with the client so their software can authenticate only with the App Engine?
A service account does not seem possible since this allows access to the Cloud Storage.
Related
I'm developing a reactJS app that will run in browser. I want to make request from that app to services deployed in Google Cloud Run and Google Cloud Functions, both with authentication enabled, but I don't know how to authenticate requests.
I have a Service Account credentials with permissions to invoke those services but I cannot use default credentials due to reactJS environment variables names and I cannot use the NodeJS Google Cloud SDK.
How can I authenticate request to Cloud Functions/Cloud Run from reactJS apps outside of Google Cloud?
You have to use client side authentication mechanism. Firebase Auth works very well, and you have the Google Cloud version name Google Identity Platform.
EDIT 1
If your user aren't authenticated, you can't use authentication services. You should want to limit the access, the cost, the abuse of your Cloud Functions and Cloud Run services. For that, you need to use an API Gateway, such as Google Cloud API Gateway, or a more entreprise grade with APIGee.
You can also use a HTTPS Load Balancer in front of Cloud Functions or Cloud Run and activate Cloud Armor to prevent attacks on your service (but it's not a rate limit).
I have an app running on google cloud platform. I have access to lists of people (in my organisation) through Cloud IAM. I only want my app engine app to be accessible to some of these lists with them having to log on with their Google Account before being allowed in to the site (is this how Cloud IAM permissions work or is this single service sign-on?).
What kind of rules or roles do I need to set just to allow groups or lists to see and use an application?
In cloud IAM i see these potential roles related to app engine.
The 'App Engine Viewer' role has this description: "Ability to view App Engine app status.". Is this what I want?
You need to use Cloud IAP to limit users authentication to your AppEngine application.
Roles you mentioned (as AppEngine Viewer...) permits you to limit administration rights on your app: to only publish a new version, or only browse informations about your app deployment.
You can start easily with IAP with this good and official tutorial.
You want to send and consume Cloud Pub/Sub messages from your App Engine application. The Cloud Pub/Sub API is currently disabled. You will use a service account to authenticate your application to the API. You want to make sure your application can use Cloud Pub/Sub. What should
you do?
A. Enable the Cloud Pub/Sub API in the API Library on the GCP Console.
B. Rely on the automatic enablement of the Cloud Pub/Sub API when the Service Account accesses it.
C. Use Deployment Manager to deploy your application. Rely on the automatic enablement of all APIs used by the application being deployed.
D. Grant the App Engine Default service account the role of Cloud Pub/Sub Admin. Have your application enable the API on the first connection to Cloud Pub/Sub.
I realized that if I build an app that uses pubsub. it works without manually enabled the pubsub api. But I couldn't find anything in the documentation about that. Which is the correct answer?
You want to send and consume Cloud Pub/Sub messages from your App
Engine application. The Cloud Pub/Sub API is currently disabled. You
will use a service account to authenticate your application to the
API. You want to make sure your application can use Cloud Pub/Sub.
What should you do?
Let's analyze each possible answer to determine the best answer.
A. Enable the Cloud Pub/Sub API in the API Library on the GCP Console.
This is a possible answer. The standard method is to enable services in the Google Cloud Console. You can also enable services with the Cloud SDK CLI gcloud services enable pubsub.googleapis.com
B. Rely on the automatic enablement of the Cloud Pub/Sub API when the
Service Account accesses it.
This is not a possible answer. Google Cloud Services are not automatically enabled when the service account accesses it. First, service accounts do not access APIs. Service accounts are used to obtain an OAuth Access Token (or Identity Token). These tokens are used to authorize APIs. Services are not automatically enabled with an API makes first access.
C. Use Deployment Manager to deploy your application. Rely on the
automatic enablement of all APIs used by the application being
deployed.
This is not a possible answer. Deployment Manager does not automatically enable services. You can use Deployment Manager Resource Types to enable services. You must create a virtual resource for each API that you want enabled.
D. Grant the App Engine Default service account the role of Cloud
Pub/Sub Admin. Have your application enable the API on the first
connection to Cloud Pub/Sub.
This is not a possible answer. Cloud Pub/Sub Admin does not have permissions to enable services. To enable services the service account (or User Account) will need roles/serviceusage.serviceUsageAdmin or another role with the permission serviceusage.services.enable.
Drumroll Please ....
Therefore the best answer is A in my opinion.
How to restrict a website running under App Engine to be accessible from enterprise corporate network only?
You need to use App Engine Firewall.
In this case, you have to add a firewall rule for the mentioned network. Once you have created that, you can edit the default rule to deny access from other IP's.
If your website communicates with other apps or services in App Engine, you have to consider adding the following rules.
Google offers the Cloud Identity-Aware Proxy for AppEngine and it's free. The only gotcha is that your users will need to fall into one of these categories:
Google account
Service account
Google group
G Suite domain
Cloud Identity domain
The documentation is here: https://cloud.google.com/iap/docs/
I have a Google App Engine project with access restricted to "Google Apps Accounts". I would like to access this via URLFetch in Google Script for a Google Sheets custom function.
What is the best way to authenticate this call? Or associate these projects to allow access.