Hi, According to the official documentation : " allUsers The value allUsers is a special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users." [1] Also when you will add "allUsers" the following warning will be posted: "Adding allUsers or allAuthenticatedUsers to this resource will make it publicly accessible to anyone on the internet. If this resource contains data that should not be made public to everyone, cancel this action to prevent public access."
I would suggest to remove the allUsers member from IAP if you would like to have restricted App Engine Service. One possible solution would be to create a service account [2], create a "key.json"[3] file and download on your local computer, set the default credentials [4], add the service account as a member to IAP and select a role, and then call the App Engine service with the command you have provided. curl https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth print-identity-token)" --------- [1]. https://cloud.google.com/iam/docs/overview [2]. https://cloud.google.com/iam/docs/creating-managing-service-accounts [3]. https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-gcloud [4]. https://cloud.google.com/docs/authentication/production On Monday, March 23, 2020 at 11:41:22 PM UTC+1, Sergii Diukarev wrote: > > Thank, you. You were right! > > I enable IAP and provide access for all my public services with `allUsers` > role access. But how I can call restricted service now? How do you > authenticate a request from my local computer (for example curl?) > > I tried something like: > curl https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ > -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth > print-identity-token)" > > On Wednesday, March 18, 2020 at 2:22:51 PM UTC+2, vladoi wrote: >> >> >> Hi, >> >> If you would like to protect certain "App Engine" services from outside >> invocation, I would recommend using '' Google Cloud Identity Aware Proxy'. >> Identity-Aware Proxy (IAP) lets you manage who has access to services >> hosted on App Engine. >> You can turn on IAP and this will allow only members listed in the >> permission panel to access your App Engine Services. >> >> [1].https://cloud.google.com/iap/docs >> >> On Wednesday, March 18, 2020 at 11:22:14 AM UTC+1, Serhii Diukarev wrote: >>> >>> Dear Sir/Madam, >>> >>> I am developing a web service(server) for my web application. After >>> looking at every amazing Google Cloud product, I am thinking of doing the >>> following to have a secure server on Google Cloud: >>> >>> 1. I want to be able to protect (certain) "App Engine" services from >>> outside invocation. Add security specifications in Cloud Services to >>> allow >>> only my app request endpoints. My app running on a node.js server on >>> Google >>> App Engine >>> 2. I want to be able to make requests from "Cloud Tasks" en "Cloud >>> Scheduler" to 'protected' "Cloud function" AND "AppEngine" endpoints >>> from >>> within the Google network. >>> >>> I looking forward to receiving your response! >>> >> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/fb0b9dcf-f60a-428c-aa61-93b037ccf901%40googlegroups.com.
