I have multiple App Engine Services in the same Google project. My wish is to enable IAP for some of the services and not others (in the same project), however, I know that this is not possible. For the services that I ideally don't want IAP enabled for, I don't want to just open it up to the whole internet by granting allUser the IAP-secured Web App User role. I still would like some sort of IP restrictions on who can access the resources. However, Google clearly says in the docs (https://cloud.google.com/iap/docs/managing-access),
Currently, bindings that grant public access can't have a condition associated with it. For example, a policy that allows anyone access to a resource if the request path starts with /public/ is invalid.
The users of this app will be external clients, and so I would ideally not like to go through the process of giving them service account and credential files and sharing with them code to generate an OIDC token.
That being said, is there any work around to still add IP restrictions??
The solution you've been looking for has been an open public issue for a while now so I have to set your expectations about this feature.
However, there is a workaround discussed from this thread where you should split your services and deploy it into separate projects, then use the Firewall Rules (or enable IAP) from there.