I understand that App Engine instances are intended to be of limited configurability, but it is possible to access them via SSH when they're in debug mode. In this scenario, we connect to them with:
gcloud app instances ssh --project=$PROJECT --service $SERVICE --version $VERSION $INSTANCE_ID
We'd like to add Cloud IAP into the mix. Everything I've read indicates that should be completely transparent to the end point of the traffic. IAP doesn't terminate the ssh connection, it just decides if that traffic will be passed through to the destination or dropped. So our inability to alter the internal SSH configuration of the instance shouldn't be an issue. If it works now, it should work when tunneled through IAP.
But all the instructions I've found have only talked about setting this up for compute instances, and connecting with:
gcloud compute ssh --tunnel-through-iap $INSTANCE_ID
gcloud app instances ssh doesn't support the --tunnel-through-iap parameter. App Engine apps don't appear as resources in the "SSH AND TCP RESOURCES" section of the Identity-Aware Proxy admin page, only under "HTTPS RESOURCES".
Is this really not possible? And if so, why not?? If IAP is as transparent to the network traffic as it's supposed to be it shouldn't require any special support at the App Engine end.