Security between Google App Engine projects - google-app-engine

How do I ensure that only a specific Google App Engine project can communicate with another web endpoint located in an other GAE Project.
I want to lock communication between App Engine Projects.
What would be the best way to accomplish this ?

The best way would be to make use of the request header X-Appengine-Inbound-Appid within your App Engine web endpoint application to assert the identity of your specific App Engine app that should be allowed to communicate. This header is added to the request by the URLFetch service and is not user modifiable.
Detail documentation can be found at https://cloud.google.com/appengine/docs/python/appidentity/#Python_Asserting_identity_to_other_App_Engine_apps

Not tested, but I thought application itself is admin, so how about like this?
Add login: admin to all handlers in app.yaml
Go to Google Developer Console, project -> Permissions, then Add project account which you want to communicate with into service accounts.
I hope it works.

Related

How to setup Google IAP between 2 Google App Engine Apps

I have a frontend project and a backend project. These are 2 separate app engine projects.
Setting up IAP on both is not problem but when my frontend project tries to call the backend project it is blocked.
Is there anyway to have access allowed to the backend project when the user passes the frontend IAP ? or do I have to leave the backend project without IAP enabled ?
You have to programmatically invoke (make the call using an OIDC token) to the backend from your front end. See documentation on how to do that.
There are misunderstandings. Let me clarify.
Firstly, your App Engine is highly scalable in a single project. Instead of having several projects with several App Engine, you should have only one project, with a single App Engine and multiple services.
Default is usually used for the frontend part. You can use an API service for your backend, or name it as you wish.
Like that, the whole website will be protected by the same IAP context. Like that, no issue as you have before, it's the same IAP cookies and the API calls should not create issues.
Secondly, keep in mind that your JS code runs in the client browser, not on App Engine; App Engine only serves the static files, that's all. All the rest of the computation is performed locally.

Microservices with App Engine and API Gateway

I have several microservices hosted using GAE Stadard. Currently the UI communicates directly with each service. I'd like to setup an API gateway so the traffic will be routed to the correct service based on path. E.g. any requests starts with /products will go to service A, while /orders will go to service B.
Is it something can be done using Google Cloud, without having to develop a new routing service?
Thanks in advance
There is a New Feature in Beta for App Engine that allow you to setup and deploy an API gateway for your services, which is exactly what you want to do.
You can check details and a tasklist of how to set it up in this Documentation.

Custom service account for AppEngine

I would like to set separate permissions for different applications that run on GCP AppEngine.
I think, that the way to do this is by using specialized service accounts for each application.
As far as I understand, all applications run with the AppEngine default service account project#appspot.gserviceaccount.com
Is there a way to explicitly set a service account for an application which is running on AppEngine in GCP? Then I would be able to create separate service accounts with fine access restrictions.
tldr; you can do gcloud beta app deploy --service-account=<your_service_account> app.yaml
AppEngine app's identity are not restricted to the AppEngine default service account anymore. You can deploy with custom service account for each AppEngine app now by following https://cloud.google.com/appengine/docs/standard/python/user-managed-service-accounts#app.yaml.
This works for both AppEngine Standard and Flexible.
I am assuming you mean App Engine Standard. You only have one App Engine Standard per project.
You can have multiple services under App Engine.
You will need to create a service account and then load the service account inside your code. You can then change the default service account to have the minimum permissions required to function. Make sure you research what you are doing before changing permissions. You can break App Engine by being too restrictive.
However, that brings up security issues on how you manage and distribute the service account keys.
If you mean App Engine Flexible. Google does not even show the Flexible service account in the console as Google does not want you to modify it.
You have to just add the following code in your app.yaml file
service_account: {SERVICE_ACCOUNT_YOU_WANT_TO_USE_TO_ACCESS_APP_ENGINE}

How to make an application deployed to google cloud app engine available to certain white-listed IPs

I have an application deployed to an app engine service. I have many services under the same app engine. How can I make the application available to certain white-listed IPs? In other words, I want this application to accept requests from certain IPs and deny all other request?
Can we do this by writing some configurations in app.yaml file?
Note: I just want to apply the rule to one service only so that other services will not be affected.
Applying this kind of restriction at a service level is, at the moment, not possible.
The best option would be to deploy the services you want to protect on a different project, and use the App Engine firewall there.

SSL with Google App Engine custom domain

Does anyone know if it is going to be possible anytime soon to setup SSL for a custom domain without a Google App account directly from the Google cloud developers console? Signing up for yet another Google account is bordering on making me insane.
I have setup a custom domain via the Google cloud developers console for my app project, and this is serving as a naked url...no problem.
Then I tried to setup a Google App account with an existing account linked to my Google App Engine project as an owner, but it didn't like it. So I setup a new one (deleted now) and re-verified the custom domain, which then stopped the serving of the custom domain. I then deleted the Google App account and it started serving the custom domain again. I have no idea why, what or how...
I have purchased an SSL certificate from Comodo, not yet activated, and all I want to do is set it up without giving myself an emotional hernia, I get enough of those from coding! And, yes, read the docs, but you know, they suck! A step by step idiots example would be great!
Does anyone have a guide other than a google doc on how to setup SSL for a custom domain including activating the SSL cert etc. etc.
Thanks one and all
Ok, I have discovered that Google are moving the SSL setup to their developers cloud console at the end of August 2015. So I shall wait until then to see what that process is like and then decide to go with it or perhaps use Cloudflare or some other alternative if there is one.
See https://code.google.com/p/googleappengine/issues/detail?id=777
We have added support for custom domains for App Engine from the
Google Developers Console, meaning you can now associate a custom
domain without first associating that domain with Google Apps.
To access the feature, visit https://console.developers.google.com/
and you will find the option to add a custom domain under App Engine >
Settings.
NOTE: Currently we do not support SSL on custom domains created
through this method (although we expect to rectify this in a future
release). In the meantime, we continue to support SSL (via VIP or SNI)
for custom domains that are created through Google Apps, and we
continue to provide free HTTPS for all *.appspot.com domains.

Resources