Apigee with IAP

Wils · 12-23-2024 01:08 PM

I require your expert Apigee consultation regarding a specific use case. Our APIs as a service, deployed on GCP Project A, exposes numerous APIs requiring Apigee-secured access from various GCP projects.

Our current architecture is: Load Balancer -> IAP -> Backend services (APIs), mandated by company policy.

Other projects utilize the different Load Balancer -> IAP -> Single-page Applications architecture. Apigee is necessary for secure routing to our framework, while maintaining user identity for telemetry.

To enhance user experience, we aim to avoid multiple consent screens.

Could you advise on an Apigee-based solution to address this?

AlexET

Hi @Wils, thanks for sharing your question! We’ve noticed it hasn’t received a reply yet, and with the holidays, there may be a slight delay. I’ll keep an eye on it to ensure it gets the attention it needs.

If you have any additional details to share, feel free to add them here—it could help the community provide a more tailored response.

Thanks for your patience, and happy holidays 😊

hartmann

Hello, considering Apigee is a backend service you could technically enable IAP utilization as a part of the Apigee stack/workflow. In this case, the sample architecture would be something along the lines of XLB -> IAP -> Apigee -> Backend service - have you seen any concerns with this approach?

The identity facade data/metadata from the IAP layer is pushed into header key/value pairs available via Apigee (user id, user email, etc) where you could still assert/create reports based on this custom header information.

Let me know if this makes sense or if you have any questions and/or concerns.

dchiesa1

Ya, and the alternative is to have a conversation with whoever it is that has stated "IAP is mandated". It's possible they were not considering the possibility of an additional API Management layer in the mix. Sometimes it makes sense to use both Apigee and IAP, and sometimes it does not.