How to bypass IAP for Automated App security Tests

michelnuman

Hi there,

We migrated from CloudFlare Zero Trust. Where we can bypass ZT by either a Header, or certain IP's or different rules.

We have IAP protected backend services which run to GKE. We want to run some automated tests using AppCheck and want to be able to hit our app without IAP getting involved.

The OIDC Token (That attaches as a Bearer token) we created only last for 1 hour max (And i know we can set 12 hours max in our GCP ORG) but we need to run those tests periodically every few hours.

Does IAP Offer anything similar to cloudFlares Zero Trust where can we can give a set of IP's to bypass IAP?

I already tried
- creating Access Context policy of IP's (From AppCheck)
- have allUsers in principal in IAPS Web User permission w/ a condition of the Policy

But GCP said

"Policy may not contain allUsers and access levels"

Thanks

kensan

Hi @michelnuman,

Welcome to Google Cloud Community.

IAP doesn't provide a straightforward IP-based bypass, unlike Cloudflare Zero Trust. IAP's fundamental principle is identity-aware access, which means it validates user identity and authorization.

You can, however, create a Google Cloud Service Account specifically for your App Check test automation. Grant this service account the IAM permissions required to access your backend services. Then, in your test automation code, authenticate using the service account credentials. IAP will recognize the service account as a trusted identity.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.