I have a frontend project and a backend project. These are 2 separate app engine projects.
Setting up IAP on both is not problem but when my frontend project tries to call the backend project it is blocked.
Is there anyway to have access allowed to the backend project when the user passes the frontend IAP ? or do I have to leave the backend project without IAP enabled ?
On
There are misunderstandings. Let me clarify.
Firstly, your App Engine is highly scalable in a single project. Instead of having several projects with several App Engine, you should have only one project, with a single App Engine and multiple services.
Default is usually used for the frontend part. You can use an API service for your backend, or name it as you wish.
Like that, the whole website will be protected by the same IAP context. Like that, no issue as you have before, it's the same IAP cookies and the API calls should not create issues.
Secondly, keep in mind that your JS code runs in the client browser, not on App Engine; App Engine only serves the static files, that's all. All the rest of the computation is performed locally.
You have to programmatically invoke (make the call using an OIDC token) to the backend from your front end. See documentation on how to do that.