I have a service providing an API running in Google Cloud behind IAP. The authentication is working as expected to allow users access to the API.
In order to lock down the API on a more granular level I would like to allow access to certain paths based on what IAM roles the user has within the Google project.
I thought I could use one of the Google rest APIs to get the list of roles given the user ID that comes through in the header from IAP (or finding a way to decorate the request with role information), but I am failing to find out what scopes I need or which API to use.
Does anyone know how to do something similar?
I think you might be able to retrieve a user's group memberships with the Directory API. We do have an item on our roadmap to add group memberships into the IAP JWT, but that's not possible today.
You can also use host and path conditions to set different access policies for different paths within the app, e.g. allow foo-users@ access if the path starts with /foo, and bar-users@ access if the path starts with /bar.
--Matthew, Google Cloud IAP engineering