0

I'm doing a POST to https://iap.googleapis.com/v1/projects/MY_PROJECT_ID/iap_web:getIamPolicy with an empty body as the documentation specifies.

The API response is an HTTP 200 with the body simply being {"etag": "ACAB"}

What does this mean? What should I be doing differently to retrieve the actual policy data?

IAP and the IAP API are both enabled for this project.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Robert Levy
  • 28,747
  • 6
  • 62
  • 94
  • it seems that this is due to lack of permissions in the SA that you are using, can you list the permissions of the SA you are using to do this POST? Source (change tab to Gcloud): https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_user_for_a_service_account – grimmjow_sms Aug 02 '19 at 17:17
  • The "etag" is normal. This is used to prevent an update without reading the policy first and to prevent multiple updates. In your case there is no policy to return (empty policy) so just the etag is returned. – John Hanley Aug 02 '19 at 17:32
  • @grimmjow_sms i've tried a bunch of permissions including `Security Admin, Security Reviewer, IAP Policy Admin, Owner` – Robert Levy Aug 02 '19 at 17:33
  • @JohnHanley I have IAP enabled on our App Engine app and users listed under `IAP-secured Web App User`. That means there *is* a policy, right? – Robert Levy Aug 02 '19 at 17:35
  • Yes, I would assume that a policy would be returned. What does the CLI return? Note: this is not a permissions problem otherwise you would receive a 403. You are receiving valid data (etag) just not the data you desire. This indicates to me a problem with your URI. Add the command line option `--log-http` when using the CLI and see what Google generates for the same command. – John Hanley Aug 02 '19 at 17:42
  • @JohnHanley whats the command line equivalent of iap.getIamPolicy? not seeing that in docs. thank you! – Robert Levy Aug 02 '19 at 18:55
  • `gcloud beta iap web get-iam-policy` – John Hanley Aug 02 '19 at 19:08
  • For alpha and beta commands always update first `gcloud components update`. – John Hanley Aug 02 '19 at 19:09
  • Here is a link that might help you understand how to use the API: https://cloud.google.com/sdk/gcloud/reference/alpha/iap/web/get-iam-policy – John Hanley Aug 02 '19 at 19:12

1 Answers1

2

The issue is that your URI is not specifying the Resource Type, which can be app-engine or backend-services.

For App Engine change the URI to:

https://iap.googleapis.com/v1beta1/projects/PROJECT_NUMBER/iap_web/appengine-PROJECT_ID:getIamPolicy?alt=json
John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • 1
    I have been working with Google IAM, Identity, OAuth, etc for a while. I knew what to expect and what to look for. – John Hanley Aug 02 '19 at 20:59