How to use Google Cloud IAM Roles for Role Based Web Application control using Google OAuth

Question

I use Google OAuth to sign in my Web Application which was created as a project in Google Cloud Platform i.e. Project1.

I have a user with custom role in this project. After I logged in with my Google account, I'm able to get userinfo using Google_Client (PHP library - google/apiclient). However, I'm having a hard time figuring out how to get the custom role for the logged in user. I tried using Google_Service_iam but get Uncaught Google_Service_Exception: 404 Not Found.

Is this a correct way of building a role based control web app utilizing Google IAM?

Answer 1

Although it would be somehow possible by building it yourself, I would not directly use IAM as an authentication provider. Instead, use the Identity Platform or something like Auth0 or Okta. Myself, I prefer Firebase Authentication, which integrates easily with all popular languages and frameworks.

IAM is meant to authorize users within GCP, and not in a custom web-app. In your setup, you would have to add every future user to Gsuite and IAM, which is very costly and not designed for this purpose.

Answer 2

I would recommend taking a look at the Authentication Strategies for application developers.

Since you need to grant to Google Cloud APIs on behalf of an end user, you may use the protocol OAuth 2.0 protocol. The application initiates an OAuth consent flow where you application will receive the user's credentials. With these credentials, it can call Google Cloud APIs on behalf of the user.

Another solutino as Nebulastic also suggested, is the Cloud Identity Platform, where you can configure custom claims to restrict a user's access to a resource depending on their role.