google-app-enginegoogle-cloud-endpointsgoogle-iap

Identity Aware Proxy(IAP) for Google Cloud endpoints OpenAPI


We have an application (say App-B) that is developed in Python 3.7 standard environment.

This application will be accessed only by another project (application) that is part of GAE.

Do we need to expose the App-B using Google Cloud endpoints to make this happen? If yes, according to the docs here it says we need to secure App-B using IAP. Can IAP support "application" instead of "users"? How do we go about this?


Solution

  • These are the steps to Setting up Cloud IAP access:

    1.Go to the Identity-Aware Proxy page.

    2.On the right side panel, next to Access, click Add.

    3.In the Add members dialog that appears, add the email addresses of groups or individuals to whom you want to grant the IAP-secured Web App

    4.User role for the project. Members can be:

    a.Google Accounts: user@gmail.com

    b.Google Groups: admins@googlegroups.com

    c.Service accounts: server@example.gserviceaccount.com

    d.G Suite domains: example.com

    Can IAP support "application" instead of "users"? Yes, IAP member can be a service account.

    A service account is a special kind of account that belongs to an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.

    You can find detailed explanation Enabling Cloud IAP ,Service accounts.