App Engine microservices + IAP + API Gateway

[Dulce Hernandez Cruz]

Hello,

I'm using API Gateway for different App Engine microservices, I'm following the tutorial here but when I turn on the IAP for App Engine and I try to make a request through the Gateway, I get a redirection response. If I test this through the browser, I login with my google account and I see the response. But If I test this through Postman or curl, I don't get any results.

The documentation says that  To grant access to your App Engine app, you will need to configure a service account with the correct permissions for your API Gateway. 

I added the permission "IAP-secured Web App User" to the service account used for the gateway.

I thought that the API Gateway should handle the authentication part and I could access to the App Engine endpoint. 

What is the correct behavior of the IAP - API Gateway configuration?

[Andrew Cooper]

I would suggest that you go through a few debug steps to see where it might have failed. Typically it is because you missed a step during the configuration.

1. Make sure the API are enabled

Re-enabling the APIs might seem obvious, but you can re-enable the APIs with the debug flag. They might have failed silently and did not enable as expected. Try again with the debug flag to identify any potential root causes.

```

gcloud services list

```

Required APIs

• iap.googleapis.com // Cloud Identity-Aware Proxy API

• apigateway.googleapis.com // API Gateway API

• servicemanagement.googleapis.com // Service Management API

• servicecontrol.googleapis.com // Service Control API

```

gcloud services enable <API> --log-http --verbosity=debug

```

Please note, do not share the output of this command unless you redact any identifiable information first.

1. Make sure you have set up IAP access correctly

Requests from the API Gateway to any back-end service will most likely use authentication. These requests are secured using OpenID Connect (OIDC) tokens signed by the gateway's service account.

Check to see if your back-end services can accept OIDC tokens for authentication and authorization 1.

Although you have added the IAP-secured Web App User permission to the service account, as per the documentation 2, you also need to add the permission to the Project Owner.

Role-based access: If you're a project owner, you may think that you get automatic access to the app. That is not the case as only accounts with the IAP-secured Web App User role on this project will be given access. Imagine you're in corporate IT implementing IAP access to the HR payroll system. In most scenarios, only the staff on the Payroll team should have access to the app. This is one of the reasons why role-based access is more secure. The owner (or editor, etc.) of a project can manage all aspects of the project but doesn't automatically get app access.