Cloud IAP with Standard second generation runtimes?

80 views
Skip to first unread message

Parth Mishra

unread,
Sep 4, 2018, 7:54:40 PM9/4/18
to Google App Engine

I was wondering what the status of Cloud Identity Aware Proxy integration with the second gen runtimes (specifically Python 3.7). I would like to authenticate a Service Account to invoke my application from an on-premise server and it seems like IAP is good method for doing this (in addition to restricting firewall). 

However, the documentation doesn't make it clear what approach to take to integrate since it requires Users API for standard environment (which isn't supported by Python 3.7). Do I need to use either first-gen Standard or switch to Flexible? 

Parth Mishra

unread,
Sep 7, 2018, 3:24:10 PM9/7/18
to Google App Engine
Follow up: what's the difference between this and say, Cloud Endpoints authentication via OpenAPI? 

Mike McDonald

unread,
Sep 11, 2018, 3:10:21 PM9/11/18
to Google App Engine
Parth,

Good questions. I've answered them inline below.

Thanks,
--Mike

On Friday, September 7, 2018 at 12:24:10 PM UTC-7, Parth Mishra wrote:
Follow up: what's the difference between this and say, Cloud Endpoints authentication via OpenAPI? 

Endpoints:
  • Pros:
    • Can do Google or non-Google auth (e.g. Firebase Auth, or any other OIDC JWT)
    • Can do per-path authentication
  • Cons:
    • Doesn't provide login/logout URLs for web apps (e.g. won't initiate 3LO OAuth flow, refresh tokens)
    • Not integrated with Cloud IAM for authorization (e.g. can't grant a single user access)
    • Not a fully managed system (deployed with your GAE app)
    • Doesn't work with Gen 2 runtimes
IAP
  • Pros:
    • Designed to handle 2LO and 3LO flows (will handle token refresh for web apps)
    • Integrated with Cloud IAM
    • Works with GAE Gen 1 and 2
  • Cons:
    • Whole app only (no per-path auth yet)
    • Google Auth only
    • Somewhat annoying way to generate tokens (though compute metadata makes this easier)
Probably missing some things, but that's the gist :)
 

On Tuesday, September 4, 2018 at 7:54:40 PM UTC-4, Parth Mishra wrote:

I was wondering what the status of Cloud Identity Aware Proxy integration with the second gen runtimes (specifically Python 3.7). I would like to authenticate a Service Account to invoke my application from an on-premise server and it seems like IAP is good method for doing this (in addition to restricting firewall). 

I just tried it and it works.
 

However, the documentation doesn't make it clear what approach to take to integrate since it requires Users API for standard environment (which isn't supported by Python 3.7). Do I need to use either first-gen Standard or switch to Flexible? 

Instead of using the user's service, you'll have to grab the headers which have the userID and email (or the full JWT). Note that the IAP site claims this doesn't work for Standard, but it does for Gen 2.

 
Reply all
Reply to author
Forward
0 new messages