[google-appengine] Re: Restrict access to "Google App Engine" services from outside invocation
I am not sure how did you set up your use case but I would recommend to
follow these two tutorials [1][2].
The target audience of the JWT has to be the oath2 client id form the IAP.
---
[1]. https://www.qwiklabs.com/focuses/5562?parent=catalog
[2].
https://dzone.com/articles/api-authentication-with-gcp-identity-aware-proxy
On Tuesday, March 24, 2020 at 7:29:58 PM UTC+1, Sergii Diukarev wrote:
>
> I did all the steps which you provided but still getting the error
>
> Invalid IAP credentials: JWT audience doesn't match this application
> ('aud' claim (5940511.apps.googleusercontent.com) doesn't match
> expected value (
> 66074-l73bufqva111p0t76pfkam5.apps.googleusercontent.com))
>
> do you have any clue what that can be?
>
> On Tuesday, March 24, 2020 at 2:55:47 PM UTC+2, vladoi wrote:
>>
>>
>> Hi,
>> According to the official documentation :
>>
>> "
>> allUsers
>> The value allUsers is a special identifier that represents anyone who is
>> on the internet, including authenticated and unauthenticated users." [1]
>> Also when you will add "allUsers" the following warning will be posted:
>> "Adding allUsers or allAuthenticatedUsers to this resource will make it
>> publicly accessible to anyone on the internet. If this resource contains
>> data that should not be made public to everyone, cancel this action to
>> prevent public access."
>>
>>
>> I would suggest to remove the allUsers member from IAP if you would like
>> to have restricted App Engine Service.
>> One possible solution would be to create a service account [2], create a
>> "key.json"[3] file and download on your local computer, set the default
>> credentials [4], add the service account as a member to IAP and select a
>> role, and then call the App Engine service with the command you have
>> provided.
>>
>> curl
>> https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H
>> "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth
>> print-identity-token)"
>>
>>
>> -
>> [1]. https://cloud.google.com/iam/docs/overview
>> [2].
>> https://cloud.google.com/iam/docs/creating-managing-service-accounts
>> [3].
>> https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-gcloud
>> [4]. https://cloud.google.com/docs/authentication/production
>>
>>
>>
>>
>>
>>
>>
>>
>> On Monday, March 23, 2020 at 11:41:22 PM UTC+1, Sergii Diukarev wrote:
>>>
>>> Thank, you. You were right!
>>>
>>> I enable IAP and provide access for all my public services with
>>> `allUsers` role access. But how I can call restricted service now? How do
>>> you authenticate a request from my local computer (for example curl?)
>>>
>>> I tried something like:
>>> curl
>>> https://my-private-service-dot-project-tst-01.appspot.com/920/250314/
>>> -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth
>>> print-identity-token)"
>>>
>>> On Wednesday, March 18, 2020 at 2:22:51 PM UTC+2, vladoi wrote:
Hi,
If you would like to protect certain "App Engine" services from outside
invocation, I would recommend using '' Google Cloud Identity Aware Proxy'.
Identity-Aware Proxy (IAP) lets you manage who has access to services
hosted on App Engine.
You can turn on IAP and this will allow only members listed in the
permission panel to access your App Engine Services.
[1].https://cloud.google.com/iap/docs
On Wednesday, March 18, 2020 at 11:22:14 AM UTC+1, Serhii Diukarev
wrote:
>
> Dear Sir/Madam,
>
> I am developing a web service(server) for my web application. After
> looking at every amazing Google Cloud product, I am thinking of doing the
> following to have a secure server on Google Cloud:
>
>1. I want to be able to protect (certain) "App Engine" services
>from outside invocation. Add security specifications in Cloud Services
> to
>allow only my app request endpoints. My app running on a node.js
> server on
>Google App Engine
>2. I want to be able to make requests from "Cloud Tasks" en "Cloud
>Scheduler" to 'protected' "Cloud function" AND "AppEngine" endpoints
> from
>within the Google network.
>
> I looking forward to receiving your response!
>
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-appengine/dab92a72-675a-4936-96f6-5c44e18425bc%40googlegroups.com.
[google-appengine] Re: Restrict access to "Google App Engine" services from outside invocation
I did all the steps which you provided but still getting the error
Invalid IAP credentials: JWT audience doesn't match this application ('aud'
claim (5940511.apps.googleusercontent.com) doesn't match expected value
(66074-l73bufqva111p0t76pfkam5.apps.googleusercontent.com))
do you have any clue what that can be?
On Tuesday, March 24, 2020 at 2:55:47 PM UTC+2, vladoi wrote:
>
>
> Hi,
> According to the official documentation :
>
> "
> allUsers
> The value allUsers is a special identifier that represents anyone who is
> on the internet, including authenticated and unauthenticated users." [1]
> Also when you will add "allUsers" the following warning will be posted:
> "Adding allUsers or allAuthenticatedUsers to this resource will make it
> publicly accessible to anyone on the internet. If this resource contains
> data that should not be made public to everyone, cancel this action to
> prevent public access."
>
>
> I would suggest to remove the allUsers member from IAP if you would like
> to have restricted App Engine Service.
> One possible solution would be to create a service account [2], create a
> "key.json"[3] file and download on your local computer, set the default
> credentials [4], add the service account as a member to IAP and select a
> role, and then call the App Engine service with the command you have
> provided.
>
> curl https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H
> "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth
> print-identity-token)"
>
>
> -
> [1]. https://cloud.google.com/iam/docs/overview
> [2]. https://cloud.google.com/iam/docs/creating-managing-service-accounts
> [3].
> https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-gcloud
> [4]. https://cloud.google.com/docs/authentication/production
>
>
>
>
>
>
>
>
> On Monday, March 23, 2020 at 11:41:22 PM UTC+1, Sergii Diukarev wrote:
>>
>> Thank, you. You were right!
>>
>> I enable IAP and provide access for all my public services with
>> `allUsers` role access. But how I can call restricted service now? How do
>> you authenticate a request from my local computer (for example curl?)
>>
>> I tried something like:
>> curl
>> https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H
>> "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth
>> print-identity-token)"
>>
>> On Wednesday, March 18, 2020 at 2:22:51 PM UTC+2, vladoi wrote:
>>>
>>>
>>> Hi,
>>>
>>> If you would like to protect certain "App Engine" services from outside
>>> invocation, I would recommend using '' Google Cloud Identity Aware Proxy'.
>>> Identity-Aware Proxy (IAP) lets you manage who has access to services
>>> hosted on App Engine.
>>> You can turn on IAP and this will allow only members listed in the
>>> permission panel to access your App Engine Services.
>>>
>>> [1].https://cloud.google.com/iap/docs
>>>
>>> On Wednesday, March 18, 2020 at 11:22:14 AM UTC+1, Serhii Diukarev wrote:
Dear Sir/Madam,
I am developing a web service(server) for my web application. After
looking at every amazing Google Cloud product, I am thinking of doing the
following to have a secure server on Google Cloud:
1. I want to be able to protect (certain) "App Engine" services
from outside invocation. Add security specifications in Cloud Services
to
allow only my app request endpoints. My app running on a node.js server
on
Google App Engine
2. I want to be able to make requests from "Cloud Tasks" en "Cloud
Scheduler" to 'protected' "Cloud function" AND "AppEngine" endpoints
from
within the Google network.
I looking forward to receiving your response!
>>>
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to google-appengine+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-appengine/48d14472-7af7-4291-9ac5-23f1c6a7df8e%40googlegroups.com.
[google-appengine] Re: Restrict access to "Google App Engine" services from outside invocation
Hi, According to the official documentation : " allUsers The value allUsers is a special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users." [1] Also when you will add "allUsers" the following warning will be posted: "Adding allUsers or allAuthenticatedUsers to this resource will make it publicly accessible to anyone on the internet. If this resource contains data that should not be made public to everyone, cancel this action to prevent public access." I would suggest to remove the allUsers member from IAP if you would like to have restricted App Engine Service. One possible solution would be to create a service account [2], create a "key.json"[3] file and download on your local computer, set the default credentials [4], add the service account as a member to IAP and select a role, and then call the App Engine service with the command you have provided. curl https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth print-identity-token)" - [1]. https://cloud.google.com/iam/docs/overview [2]. https://cloud.google.com/iam/docs/creating-managing-service-accounts [3]. https://cloud.google.com/iam/docs/creating-managing-service-account-keys#iam-service-account-keys-create-gcloud [4]. https://cloud.google.com/docs/authentication/production On Monday, March 23, 2020 at 11:41:22 PM UTC+1, Sergii Diukarev wrote: > > Thank, you. You were right! > > I enable IAP and provide access for all my public services with `allUsers` > role access. But how I can call restricted service now? How do you > authenticate a request from my local computer (for example curl?) > > I tried something like: > curl https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ > -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth > print-identity-token)" > > On Wednesday, March 18, 2020 at 2:22:51 PM UTC+2, vladoi wrote: >> >> >> Hi, >> >> If you would like to protect certain "App Engine" services from outside >> invocation, I would recommend using '' Google Cloud Identity Aware Proxy'. >> Identity-Aware Proxy (IAP) lets you manage who has access to services >> hosted on App Engine. >> You can turn on IAP and this will allow only members listed in the >> permission panel to access your App Engine Services. >> >> [1].https://cloud.google.com/iap/docs >> >> On Wednesday, March 18, 2020 at 11:22:14 AM UTC+1, Serhii Diukarev wrote: >>> >>> Dear Sir/Madam, >>> >>> I am developing a web service(server) for my web application. After >>> looking at every amazing Google Cloud product, I am thinking of doing the >>> following to have a secure server on Google Cloud: >>> >>>1. I want to be able to protect (certain) "App Engine" services from >>>outside invocation. Add security specifications in Cloud Services to >>> allow >>>only my app request endpoints. My app running on a node.js server on >>> Google >>>App Engine >>>2. I want to be able to make requests from "Cloud Tasks" en "Cloud >>>Scheduler" to 'protected' "Cloud function" AND "AppEngine" endpoints >>> from >>>within the Google network. >>> >>> I looking forward to receiving your response! >>> >> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/fb0b9dcf-f60a-428c-aa61-93b037ccf901%40googlegroups.com.
[google-appengine] Re: Restrict access to "Google App Engine" services from outside invocation
Thank, you. You were right! I enable IAP and provide access for all my public services with `allUsers` role access. But how I can call restricted service now? How do you authenticate a request from my local computer (for example curl?) I tried something like: curl https://my-private-service-dot-project-tst-01.appspot.com/920/250314/ -H "Authorization: Bearer $(gcloud --project=hatsa-tst-01 auth print-identity-token)" On Wednesday, March 18, 2020 at 2:22:51 PM UTC+2, vladoi wrote: > > > Hi, > > If you would like to protect certain "App Engine" services from outside > invocation, I would recommend using '' Google Cloud Identity Aware Proxy'. > Identity-Aware Proxy (IAP) lets you manage who has access to services > hosted on App Engine. > You can turn on IAP and this will allow only members listed in the > permission panel to access your App Engine Services. > > [1].https://cloud.google.com/iap/docs > > On Wednesday, March 18, 2020 at 11:22:14 AM UTC+1, Serhii Diukarev wrote: >> >> Dear Sir/Madam, >> >> I am developing a web service(server) for my web application. After >> looking at every amazing Google Cloud product, I am thinking of doing the >> following to have a secure server on Google Cloud: >> >>1. I want to be able to protect (certain) "App Engine" services from >>outside invocation. Add security specifications in Cloud Services to >> allow >>only my app request endpoints. My app running on a node.js server on >> Google >>App Engine >>2. I want to be able to make requests from "Cloud Tasks" en "Cloud >>Scheduler" to 'protected' "Cloud function" AND "AppEngine" endpoints from >>within the Google network. >> >> I looking forward to receiving your response! >> > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/41b4d251-86f3-44d7-9b19-0d5309664084%40googlegroups.com.
[google-appengine] Re: Restrict access to "Google App Engine" services from outside invocation
Hi, If you would like to protect certain "App Engine" services from outside invocation, I would recommend using '' Google Cloud Identity Aware Proxy'. Identity-Aware Proxy (IAP) lets you manage who has access to services hosted on App Engine. You can turn on IAP and this will allow only members listed in the permission panel to access your App Engine Services. [1].https://cloud.google.com/iap/docs On Wednesday, March 18, 2020 at 11:22:14 AM UTC+1, Serhii Diukarev wrote: > > Dear Sir/Madam, > > I am developing a web service(server) for my web application. After > looking at every amazing Google Cloud product, I am thinking of doing the > following to have a secure server on Google Cloud: > >1. I want to be able to protect (certain) "App Engine" services from >outside invocation. Add security specifications in Cloud Services to allow >only my app request endpoints. My app running on a node.js server on > Google >App Engine >2. I want to be able to make requests from "Cloud Tasks" en "Cloud >Scheduler" to 'protected' "Cloud function" AND "AppEngine" endpoints from >within the Google network. > > I looking forward to receiving your response! > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/840ce4bf-51ef-41f9-bf0a-0a1ed1a87521%40googlegroups.com.
