3

I have a service providing an API running in Google Cloud behind IAP. The authentication is working as expected to allow users access to the API.

In order to lock down the API on a more granular level I would like to allow access to certain paths based on what IAM roles the user has within the Google project.

I thought I could use one of the Google rest APIs to get the list of roles given the user ID that comes through in the header from IAP (or finding a way to decorate the request with role information), but I am failing to find out what scopes I need or which API to use.

Does anyone know how to do something similar?

4

1 回答 1

4

我认为您可以使用Directory API检索用户的组成员身份。我们的路线图中确实有一个项目可以将组成员身份添加到 IAP JWT 中,但现在还不可能。

您还可以使用主机和路径条件为应用程序内的不同路径设置不同的访问策略,例如,如果路径以 /foo 开头,则允许 foo-users@ 访问,如果路径以 /bar 开头,则允许 bar-users@ 访问。

--Matthew,谷歌云 IAP 工程

于 2019-04-24T21:26:37.287 回答