3

I have a service in Google Cloud App engine, which is behind IAP.

It is accessible only to users within my organisation. I need to make a few endpoints of this service accessible for all users. Is it possible to achieve?

I have found an instruction, which says that it is possible, but it also says: The allUsers and allAuthenticatedUsers values are unsupported member types in a conditional role binding. If you specify one of these member types, the setIamPolicy operation will fail.

Which is not clear for me and a bit confusing.

A small example: My service has an url https://google-cloud-app-engine-service.com And I want to make only one endpoint of this service available to everyone: https://google-cloud-app-engine-service.com/public_endpoint.

Thank you!

Pavel Botsman
  • 596
  • 1
  • 5
  • 18

2 Answers2

7

You can't white list URL path with IAP. The finest grain is the service. I mean, you can activate IAP on AppEngine. Then, for the service that you want you can select it, go to the info panel and add allUsers or allAuthenticatedUsers with the role IAP-secured web app user

enter image description here

You have several alternatives

  • Manage the security by yourselves and don't use IAP (which is not a good idea)
  • Use Cloud Endpoint in front of your AppEngine. I wrote an article on this for securing with APIKey, but you can change the security definition is you want. The problem is that you have to define all your API in the Cloud Endpoint, and you have an additional component in your stack
  • Use 2 services (if possible). Set one public and the other protected by IAP.
Pavel Botsman
  • 596
  • 1
  • 5
  • 18
guillaume blaquiere
  • 33,758
  • 2
  • 11
  • 37
0

As @guillaume-blaquiere suggested in his answer, I split my app engine service by two independent services and made the first one only accessible from within my organization and the second one to everyone using IAP.

Pavel Botsman
  • 596
  • 1
  • 5
  • 18