Does enabling IAP for AppEngine change sa context?

[Jack Lee]

If we enable IAP for AppEngine and provide a specific service account to the client, will AppEngine and all Google APIs be executed under that sa context or will they still be executed under AppEngine's default sa? Without IAP enabled it appears to be the default sa since I can make requests to my (unprotected) webservice and retrieve data from BigQuery, Datastore, etc.

We would like to have a master project with our AppEngine and other Compute Engine in a "master"-project and then create new projects that hosts each customer's BigQuery data and then give each sa accounts access to AppEngine in the master project and then BigQuery data hosted in their respective projects. One reason is that we can monitor BigQuery expenditure on project level (see how much data are queried by each customer) while also keeping data separate.

/Jack

[David Charles Martinez]

Hello,

The service account provided to IAP is just used for authentication to IAP which will let you access your App Engine application. Any calls made once authenticated, will still use the App Engine default service account unless you have specified otherwise in your App Engine application.