This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Is it possible to use Identity-Aware Proxy to secure backends in different projects?

Posted on 11-26-2024 09:28 PM
dagan
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We are serving content to backend services in different projects via a HTTPS load balancer in a shared VPC. The load balancer is in the host project, and we have backends in both the host and some service projects (all attached to the host in the Shared VPC).

However, the IAP portal doesn't display backends from the service projects (only from the backend services within the host project where the Load Balancer is found). Is there a way secure all of the load balancer's backends with the same IAP in a cross-project environment? And if so, how can the service project's backends be linked / be discoverable?

0 4 728
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
nmagcalengjr
Staff
Reply posted on --/--/---- --:-- AM

Hi @dagan,

Welcome to Google Cloud Community!

Yes, it is possible to use Identity-Aware Proxy (IAP) to secure backends in different Google Cloud projects.

Identity-Aware Proxy (IAP) is a Google Cloud service that adds an additional layer of security to your applications running on Google Cloud. It is also used for controlling and securing access to applications and services by authenticating and authorizing users before they access your service. 

IAP policies scale across your organization. You can define access policies centrally and apply them to all of your applications and resources. IAP can be configured to control access to web applications or APIs hosted across different Google Cloud projects, even if they are in separate projects from where IAP is set up. However, this requires additional configuration to ensure that the IAP service account and IAM permissions are properly set up across all involved projects.

By following the steps below, you can securely access resources across different projects, with IAP enforcing security through identity and access policies.

  1. Enable IAP for backend services in each project.
  2. Set up the IAM permissions for users/groups across projects.
  3. Ensure that the necessary firewall rules are configured for accessing IAP-secured services.
  4. You can also configure service accounts to allow backend communication between projects if needed.

I hope the above information is helpful.

0 Likes

Posted on --/--/---- --:-- AM
pamella_11
Bronze 1
Bronze 1
In response to nmagcalengjr
Reply posted on --/--/---- --:-- AM

Hello @nmagcalengjr ,
I'm experiencing a similar issue as @dagan . However, when I try to follow the steps from your solution, I can't complete step 1: "Enable IAP for backend services in each project."

Based on the documentation, I understand that for a backend service to appear on the IAP page, it must be associated with an HTTPS external load balancer. However, in my case, the backend service is in a service project (stg), while my HTTPS external load balancer is in my host project (Shared Infra). They are connected through a Shared VPC with cross-referencing.

Given this setup, I would expect the backend service to appear on either the stg or Shared Infra IAP page so that I can enable IAP. However, it does not appear on either.

Did I misunderstand any part of the documentation? To me, it wouldn’t make sense to create an HTTPS load balancer in each service project just to enable IAP for backend services.

Note: I'm using a global external load balancer, my back-end services were created for Cloud Run services, and currently, without IAP, everything works fine.

Thank you in advance!

0 Likes

Posted on --/--/---- --:-- AM
marcusguidoti
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm facing the exact same issue as @pamella_11

It seems that by using IAP, the whole cross-project set up purpose is challenged.

Any guidelines on how we can make this centralized LB with cross-project backend services work with IAP?

0 Likes

Posted on --/--/---- --:-- AM
pamella_11
Bronze 1
Bronze 1
In response to marcusguidoti
Reply posted on --/--/---- --:-- AM

Hey @marcusguidoti ,

After a month of discussions with GCP Support, it seems like I finally got it working properly.

Apparently, the issue of backend services not appearing in the IAP page is a known limitation in GCP. For some reason, the Console UI does not display backend services in the IAP page when projects are structured as host and service.

However, it is possible to enable IAP centrally in the host project using gcloud commands.

Here’s what I was instructed to do:

  1. In the host project, create a policy.yaml file and enable IAP for a forwarding rule (Documentation ).

    • In this case, the FORWARDING_RULE_ID corresponds to the front-end name of your load balancer.

  2. Configure the IAP access permissions according to your requirements (following the same documentation link).

At this stage, IAP was partially set up—it required login to access my services, but after logging in, I encountered the following error: 

"The IAP service account is not provisioned."

To resolve this, I had to:

  1. Still in the host project, create a service account by running:

    gcloud beta services identity create --service=iap.googleapis.com --project=[PROJECT_ID]

    (Replace [PROJECT_ID] with the host project name).
    (Troubleshooting Reference)

  2. In the service project, grant the newly created service account:

    service-[HOST-PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com

    the "Cloud Run Invoker" role.

    • I did this directly via the IAM page in the service project, but there's likely a gcloud command to achieve the same.

After completing these steps, everything appears to be working fine for me.

Hope it helps

0 Likes