Hi,
According to the official documentation :
"
allUsers
The value allUsers
is a special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users." [1]
Also when you will add "allUsers" the following warning will be posted:
"Adding allUsers or allAuthenticatedUsers to this resource will make it publicly accessible to anyone on the internet. If this resource contains data that should not be made public to everyone, cancel this action to prevent public access."
I would suggest to remove the allUsers member from IAP if you would like to have restricted App Engine Service.
One possible solution would be to create a service account [2], create a "key.json"[3] file and download on your local computer, set the default credentials [4], add the service account as a member to IAP and select a role, and then call the App Engine service with the command you have provided.