0

I have a request to restrict the access (access control) to a small user community in GCP. Let me explain the question.

This is the current set up:

  • A valid GCP Organization: MyOrganization.com (under which the GCP project is deployed / provisioned)
  • Cloud DNS (To configure domain names, A & TXT records, zones and subdomains to build the URL for the application).
  • Oauth client set up (tokens, authorized redirects URIs, etc.).
  • HTTPS load balancer (GKE -managed k8s service- with ingress service), SSL certificate and keys issued by a trusted CA.
  • The application was built using python + Django framework.

I have already deployed the application (GCP resources) and it is working smooth. The thing is that, since we are working in GCP, all IAM users who has a valid userID@MyOrgnization.com can access the application (https://URL-for-my-Appl.com).

Now, I have a new request, which consists in restricting access (access control) to the application only for a small user community within that GCP organization.

For example, I need to ensure that only specific IAM users can access the application (https://URL-for-my-Appl.com), such as:

  1. user1@MyOrganization.com
  2. user2@MyOrganization.com
  3. user3@MyOrganization.com
  4. user4@MyOrganization.com

How could I do that, taking into account the info I sent earlier ?

thanks!

José Enrique Hernández
  • 943
  • 1
  • 8
  • 17
  • please just to clarify, currently how do you already manage authentication restricted to @MyOrganization.com ? Do you mean home made development with OAuth ? – Thierry Falvo Nov 21 '19 at 17:34
  • Thanks ThierryFalvo for replying it. The current set up is that any user authenticated with @MyOrganizartion (regular intranet users) can access the URL for the application. I have investigated a bit, and it seems that RBAC might be a solution to my original question. What do you think ? With regard to OAuth, we have some OAuth's credentials / token in place to set up it. – José Enrique Hernández Nov 21 '19 at 18:11
  • As Guillaume's answer, IAP is really a good choice to manage authentication inside a domain easily and securely. – Thierry Falvo Nov 21 '19 at 19:20

2 Answers2

1

You can use Cloud IAP (Identity Aware Proxy) in order to do that.

Identity-Aware Proxy (IAP) lets you manage access to applications running in App Engine standard environment, App Engine flexible environment, Compute Engine, and GKE. IAP establishes a central authorization layer for applications accessed by HTTPS, so you can adopt an application-level access control model instead of using network-level firewalls. When you turn on IAP, you must also use signed headers or the App Engine standard environment Users API to secure your app.

Note: you can configure it on your load balancer.

It's not clear in your question if your application uses google auth (but considering that you talk about org-restricted login I think so) - if that's the case you should be able to enable it without virtually touching anything in your application if you are using the Users API.

Pievis
  • 1,954
  • 1
  • 22
  • 42
0

The best and easiest solution is to deploy IAP (Identity Aware Proxy) on your HTTPS Loadbalancer

Then, grant only the user that you want (or create a gsuite user group and grant it, it's often easier to manage)

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76