Tutorial : Getting Started with Google Cloud Identity-Aware Proxy (IAP)
This tutorial covers how you can get started with Google Cloud Identity-Aware Proxy (IAP), a service that was announced recently at Google Cloud Next 2017.
I reproduce the diagram from official IAP documentation below, which should make things a lot more clear.
Consider that you have multiple applications (in the above diagram, think of ERP and CRM as applications that you are running and to which you want to control access to) hosted on App Engine or on one of the services in Google Cloud Platform and you want to streamline access to these applications from outside. By access, you want to do several things, as an Administrator responsible for that (the IDENTITY module in the above diagram):
- You want to maintain Access Lists for your applications from outside of those applications.
- You want to streamline access by defining a group of users and what applications that group or role can access.
- You want your users to access these applications from outside your network.
- You do not want to go through the hassle of setting up a VPN to control access from outside to your applications.
Even if you keep aside the whole VPN setup, you had to ensure that the right users are allowed to access the application. You either had to setup a Application Gateway or Proxy in front that contained a list of users allowed to access your application. Or maybe you had this information stored somewhere in the Application User Database and you controlled access via that.
This approach is error prone, with user identity being replicated across multiple applications and often not in sync with each other. Employees leaving the organization can present another headache in addressing this problem. And since security is paramount, wouldn’t it be a better way to centralize the access control lists and give your security teams one simple Identity layer to manage and even review it from time to time.
Enter the Cloud Identity-Aware Proxy (IAP).
Getting Started with Cloud Identity-Aware Proxy (IAP) on App Engine
I will assume that already have an App Engine application deployed for your Google Cloud Project and that you are familiar with navigating the Cloud Console.
The Identity-Aware Proxy is available in the IAM & Admin section as shown below:
You will also notice that it picked up my list of App Engine applications and it indicates that the IAP is not turned on. All you need to do is switch it on, it will prompt you with a list of domain names that are used to access the resource (App Engine App) as shown below:
Once you Turn it on, you should see a similar screen as shown below:
At this point, we have the IAP turned on but we have not provided list of accounts that are allowed to access this resource. To do that, you can provide that information in the Access section. Click on the ADD button. This will bring up the form as shown below. Notice that it standardizes on the IAM Users, Groups and Roles and you can specify specific accounts or Groups or even Service Accounts as the help indicates.
In my case, as a test, I add a specific account as shown below and click on ADD.
This adds the account to the list of Members allowed access to the resource.
Now, when I try to access the App Engine URL (<something>.appspot.com) , it gives me a list of accounts that I could use.
If I go ahead with the wrong account, I get the error shown above. If I select the correct account, I can access the application.
Cool … isn’t it?
Think of the next time you are prototyping an application on App Engine and need to share the working prototype with a handful of users. No VPN. No playing around with specific users inside the Application. Turn IAP on, specific the users in the access list and its game on. It can’t get simpler than this.
Accessing Users in your Application
The nice thing about the IAP for your App Engine applications is that it is seamless in terms of the Users identity. What this means is that you can continue to the use the Users API in your App Engine application to retrieve the identity of the user. Nothing changes. Check out more details over here.
Pricing
The service is currently available free of charge for both App Engine and your Apps that might be running behind a Load Balancer and other VMs on Google Cloud. This is fantastic for now but not sure if there will be charge once the service comes out of Beta.
BeyondCorp
This service is a manifestation of Google’s approach to Enterprise Security called BeyondCorp and represents some of their best practices towards achieving that. The mission is “To have every Google employee work successfully from untrusted networks without use of a VPN.”. Take a look at the BeyondCorp:
Parting Notes
It cannot get easier than this to streamline secure access to your Google Cloud Applications via external users, and without the need for a VPN. Do note that the service is currently free and is in Beta.
