Securing GAE/Cloud Run app with IAP but excluding static content

Question

Securing GAE/Cloud Run app with IAP but excluding static content

What is correct way how to secure (with IAP) application which consists of execution logic (servlets) and static content (css, js, ...) which are differentiated by url prefixes (logic=/admin/, static=/css/, /js/, ...). Is it IAP turned on for whole app and url prefixes managed by global IAM conditions like request.path.startsWith("/admin") ? Is there even a performance/networking issue when having IAP turned on even for static resources without conditions?

Or do I have to separate app to two services and have IAP turned on for "logic" part and IAP turned off for "static" part?

Answer 1

You're correct in your comment from @NoCommandLine. Those are valid considerations when using Cloud Storage for static content.

Alternative Solutions:

• Global IAM Conditions for URL Paths: Retain versioning and deployment within GAE/Cloud Run, but manage access control with IAM conditions.

• Separating Services: Deploy static content as a separate service without IAP, but manage versioning and deployment independently.

Recommendations:

• Start with Global IAM Conditions: Simpler setup, monitor performance for potential issues.

• Consider Cloud Storage: Significant static content, prioritize performance, strict separation, cost-consciousness.

• Separate Services: Complex access control, different scaling needs, stricter isolation.

• Regularly review security policies and update IAM conditions as needed.

Answer 2

One possible method is

1. Upload your static content directly to Cloud Storage

2. Make the uploaded contents publicly accessible

3. Use the urls of the items from Cloud Storage in your GAE/Cloud Run App and then secure your GAE/Cloud Run App with IAP as you intended

4. The net effect should be that

   a) Anyone with a link to any of your static content will see that content

   b) Access to your GAE/Cloud Run App is however controlled by IAP

See documentation here