dabreegster
commented
1 year ago This is past mvp, and remaining TODOs are tracked in backend/README.md
Closed dabreegster closed 1 year ago
dabreegster
commented
1 year ago This is past mvp, and remaining TODOs are tracked in backend/README.md
Goal: Serve a static website on GCP, but restrict access to it.
GCS + GAE + IAP
The simplest approach conceptually would be to use a private GCS bucket, then serve it using IAP. It appears this isn't supported: https://issuetracker.google.com/issues/114133245?pli=1
The next simplest approach I can find is to use AppEngine. The static website would be hosted in a private GCS bucket, we'd use AppEngine to serve it, then we'd use IAP to sit in front of AppEngine.
I haven't yet found docs about gov.uk integration with IAP. The One Login docs are lower level, talking about OAuth flows. My hope is that the IAP layer can completely take care of that for us.
Adding a backend
Many of the backend APIs we may consider could be hosted in Cloud Run or Cloud Functions or similar, since they'd be stateless servers just talking to a DB. IAP can also sit in front of Cloud Run, it appears. So the frontend code running in the browser could make requests to the backend, also going through IAP and verifying the identity again.