How to restrict access to GAE Flexible site only for GSuite account?

Question

How to restrict access to GAE Flexible site only for all account from my domain in GSuite and eventually other Google accounts that I provide explicitely. AFAIR there where something simillar in Standard GAE version in app.yaml handlers section.

So my scenario:

• prodution versions restricted until go-live
• dev and stage version restricted permanently

I would like to do this on the IAM level, to reject traffic to the site. But I didn't found anything in docs.

Answer 1

Ok, after rethink the problem and dig deeper in a documentation I found a page about dev environment - https://cloud.google.com/appengine/docs/standard/python/creating-separate-dev-environments.

So my current solution is not to have separate versions like dev, stage and prod and work with them within one project, but to create separate projects for each of environment.

It will also simplify management of DBs - previous I thought about different database in one DB server for particular environment. Now I will have a separate DB instance for it.

Anyway I still have a problem with securing access. I did it in the same way like in Restrict App Engine access to G Suite accounts on custom domain:

• changed Google Authentication to my Google Suite domain
• added Custom Domain in my app
• added my page domain to my GSuite as a second domain And I still can connect to my page without auth - even in "Incognito mode" and on others computers and mobiles.

EDIT: As a workaround I used Django-lockdown module. For the timebeing is more than enough - I have a password, I have a session, I can set it in Middleware or as a decorator for urls.

EDIT 2: I noticed today a new feature in GAE Flexible - Identity-Aware Proxy. This is the feature, that I was searching. You can restrict accces by:

• Google Account email: user@gmail.com
• Google Group: admins@googlegroups.com
• Service account: server@example.gserviceaccount.com
• Google Apps domain: example.com