I have a project on Google Cloud Platform that's made up primarily of Kubernetes services and those are exposed to the public internet using an ingress, also defined in Kubernetes.
Some services are protected by the Identity-Aware Proxy. Until now, the only way I've found to manage user/group/domain access to individual services is in the web UI console to navigate to Security > Identity-Aware Proxy and add users/groups/domains to each protected service as an "IAP-secured Web App User". Aside from being a tedious and manual process, these permissions get wiped-out if you re-deploy one of the services. This is untenable, especially as the rest of the platform is managed with Terraform.
I want to view the current IAP users using the gcloud CLI utility, so I do gcloud iap web get-iam-policy and to my surprise, I get nothing in return. I also try adding switches like --resource-type=backend-services, --project, and nothing I do will return any information about current policies on the IAP. I'm expecting to see an IAM policy somewhere with the list of users/groups/domains having roles/iap.httpsResourceAccessor.
So the first question is, what am I missing here? Why can't I see the current IAP permissions with gcloud?
The end goal is managing this all with Terraform. What I want to be able to do is say "group:admins@xyz.com is a roles/iap.httpsResourceAccessor for service production/admin" for example. Looks like google_iap_web_backend_service_iam_member may be the way to go here, but then the question is: how to identify the web_backend_service? If I run gcloud compute backend-services list, all of the backend services have names that are generated by Google, e.g. k8s1-<hash>-<namespace>-<app name>-80-<hash>.
