Restrict access to "Google App Engine" services from outside invocation
1,857 views
Skip to first unread message
Serhii Diukarev
Mar 18, 2020, 6:22:14 AM3/18/20
to Google App Engine
Dear Sir/Madam,
I am developing a web service(server) for my web application. After looking at every amazing Google Cloud product, I am thinking of doing the following to have a secure server on Google Cloud:
- I want to be able to protect (certain) "App Engine" services from outside invocation. Add security specifications in Cloud Services to allow only my app request endpoints. My app running on a node.js server on Google App Engine
- I want to be able to make requests from "Cloud Tasks" en "Cloud Scheduler" to 'protected' "Cloud function" AND "AppEngine" endpoints from within the Google network.
I looking forward to receiving your response!
vladoi
Mar 18, 2020, 8:22:51 AM3/18/20
to Google App Engine
If you would like to protect certain "App Engine" services from outside invocation, I would recommend using '' Google Cloud Identity Aware Proxy'.
Identity-Aware Proxy (IAP) lets you manage who has access to services hosted on App Engine.
You can turn on IAP and this will allow only members listed in the permission panel to access your App Engine Services.
Sergii Diukarev
Mar 23, 2020, 6:41:22 PM3/23/20
to Google App Engine
Thank, you. You were right!
I enable IAP and provide access for all my public services with `allUsers` role access. But how I can call restricted service now? How do you authenticate a request from my local computer (for example curl?)
I tried something like:
curl https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth print-identity-token)"
vladoi
Mar 24, 2020, 8:55:47 AM3/24/20
to Google App Engine
Hi,
According to the official documentation :
"
allUsers
The value
allUsers is a special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users." [1]Also when you will add "allUsers" the following warning will be posted:
"Adding allUsers or allAuthenticatedUsers to this resource will make it publicly accessible to anyone on the internet. If this resource contains data that should not be made public to everyone, cancel this action to prevent public access."
I would suggest to remove the allUsers member from IAP if you would like to have restricted App Engine Service.
One possible solution would be to create a service account [2], create a "key.json"[3] file and download on your local computer, set the default credentials [4], add the service account as a member to IAP and select a role, and then call the App Engine service with the command you have provided.
curl https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth print-identity-token)"
---------
Sergii Diukarev
Mar 24, 2020, 2:29:58 PM3/24/20
to Google App Engine
I did all the steps which you provided but still getting the error
Invalid IAP credentials: JWT audience doesn't match this application ('aud' claim (11115940511.apps.googleusercontent.com) doesn't match expected value (1111111166074-l111173bufqva1111111p0t76pfkam5.apps.googleusercontent.com))
do you have any clue what that can be?
vladoi
Mar 25, 2020, 5:46:12 AM3/25/20
to Google App Engine
I am not sure how did you set up your use case but I would recommend to follow these two tutorials [1][2].
The target audience of the JWT has to be the oath2 client id form the IAP.
---------------
Reply all
Reply to author
Forward
0 new messages