How To Give Access To Resources Behind A GPC VPC Perimeter?
I have recently set up a VPC Service Control policy in GCP. For all intents an purposes it works alright but I am having 2 problems. Both of these problems have to do with App Engine. Here are the 2 problems:
First, when I am trying to build my app engine instance, it doesn't have access to cloud storage so I get an access denied in the build process.
Secondly, my images for my app engine instance are hosted in Cloud Storage so obviously when users visit they will not be able to access these images.
Third, my Firestore DB has direct listeners using the Angular Fire package within Angular from App Engine. When calling Firestore my listeners receive the following error:
Advice from anyone with any experience in this would be greatly appreciated. Given these are the 2 main resources we are trying to protect, moving them outside the VPC perimeter renders this entire solution kind of pointless, so any way we can make this work with App Engine would be great.
The problem is that App Engine (both standard environment and flexible environment) is not supported by VPC Service Controls. As such, it is not possible to include App Engine projects inside service perimeters.
As stated in the Documentation
App Engine (both standard environment and flexible environment) is not supported by VPC Service Controls. Do not include App Engine projects in service perimeters.
However, it is possible to allow App Engine apps created in projects outside service perimeters to read and write data to protected services inside perimeters. To allow your app to access the data of protected services, create an access level that includes the project's App Engine service account. This does not enable App Engine to be used inside service perimeters.
So it is recommended to avoid using AppEngine projects in VPC-SC perimeters. Instead they can either use AppEngine in a project outside of VPC-SC perimeter or use other serverless solutions that support VPC-SC (e.g. Cloud Run).
Also as you included App Engine projects in service perimeters, things may not work as expected. As you have added VPC Service Controls restrictions to App Engine's default (and internal-use) GCS bucket. My understanding is that this bucket is an internal implementation and the access control change the bucket has made is not supported.
Also have a look at this Stackoverflow Link.
If you are not ready to move the App Engine project outside the VPC-SC perimeter, there is already a Feature request raised here, you can mark +1 Or Feel free to raise a new Feature request or contact google support explaining your concern. You can use this page for reference when creating an issue.
- Why does loading parquet files into Bigquery display gibberish values in the table?
- Utilizing Gemini: Through Vertex AI or through Google/generative-ai?
- GKE Gateway for load balancing creates wrong health check path
- Multi-Attach error for volume <pvcname> Volume is already exclusively attached to one node and can't be attached to another
- Kotlin How do I update the throughput when the application is closing?
- I'm having a hard time setting up Substitution Variables for Google Cloud Build. I keep getting an invalid value for 'build.substitutions' error
- Google Cloud credentials with Terraform
- gcloud functions deploy fails: One or more users named in the policy do not belong to a permitted customer
- How to configure google load balancer to route to cloud run service using url mask but strip service from url
- Datastore export logic in Java
- Google Cloud API Gateway API Key Authentication Not Working
- Google cloud buckets data location in transit
- Does snapshot size is less than actual disk size even disk is full in google cloud?
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- GA4 Data Not Retained for More Than 60 Days Despite BigQuery Table Expiration Set to 'Never
- Firebase Firestore: Accessing Never-Retrieved Data Offline
- How to write a REGEXP_EXTRACT expression in Google Cloud Logging config json?
- Why does my GKE cluster not show any events?
- Python to get billing info from Gcloud
- Google Artifact Registry: Conditional Keep Cleanup Policy Not Respecting Tag Prefix Parameter
- Google Cloud: sign a JWT while impersonating a service account
- Google recaptcha enterprise: Your default credentials were not found
- Firebase Admin SDK cant upload to storage bucket folder
- Accessing Firestore via Cloud Function
- Problem with executing asynchronous Cloud Function
- do you need to create a separate collection/document for reading an aggregated document with firebase cloud function
- httpsCallable is not a function when calling a Firebase function
- Google Cloud Eventarc: Receive events via Pub/Sub directly
- Android Studio's project gradle file changed?
- How to listen to button triggers using Firebase