Is it possible to provide a public access for a specific endpoint for a service under Identity aware proxy?

Question

I have a service in Google Cloud App engine, which is behind IAP.

It is accessible only to users within my organisation. I need to make a few endpoints of this service accessible for all users. Is it possible to achieve?

I have found an instruction, which says that it is possible, but it also says: The allUsers and allAuthenticatedUsers values are unsupported member types in a conditional role binding. If you specify one of these member types, the setIamPolicy operation will fail.

Which is not clear for me and a bit confusing.

A small example: My service has an url https://google-cloud-app-engine-service.com And I want to make only one endpoint of this service available to everyone: https://google-cloud-app-engine-service.com/public_endpoint.

Thank you!

score 7 · Accepted Answer · edited Jun 15 '20 at 13:32

You can't white list URL path with IAP. The finest grain is the service. I mean, you can activate IAP on AppEngine. Then, for the service that you want you can select it, go to the info panel and add allUsers or allAuthenticatedUsers with the role IAP-secured web app user

You have several alternatives

Manage the security by yourselves and don't use IAP (which is not a good idea)
Use Cloud Endpoint in front of your AppEngine. I wrote an article on this for securing with APIKey, but you can change the security definition is you want. The problem is that you have to define all your API in the Cloud Endpoint, and you have an additional component in your stack
Use 2 services (if possible). Set one public and the other protected by IAP.

Thank you for the explanation, I'll give it a try. – Pavel Botsman Jun 13 '20 at 06:15 — Pavel Botsman, Jun 13 '20 at 06:15

score 0 · Answer 2 · answered Oct 05 '20 at 06:03

0

As @guillaume-blaquiere suggested in his answer, I split my app engine service by two independent services and made the first one only accessible from within my organization and the second one to everyone using IAP.

answered Oct 05 '20 at 06:03

Pavel Botsman

773
1
11
25

could you describe how did you split app engine by two independent services? – Vasily Yanov Jun 23 '22 at 12:46
@VasilyYanov that a big topic, but here are some ideas in general: I had my service, which mostly acted like API. I needed a few endpoints to be publicly accessible, while all other endpoints needed to be accessible only within my google cloud project. So I created publicService, which had only public endpoints and privateService. If I needed some information in publicService, then I was able to do an API call from publicService to privateService to fetch it. It is also possible to make publicService to act just like a proxy, where it would proxy only some set of endpoints. – Pavel Botsman Jun 24 '22 at 08:31
ah understood. In my case I solved an issue like guillaume blaquiere recommended: just enable Allusers access to public services and enable IAP globally for App Engine. Thanks! – Vasily Yanov Jun 24 '22 at 11:01

Is it possible to provide a public access for a specific endpoint for a service under Identity aware proxy?

2 Answers2