IAPIdentityAwareProxyClient can be referenced by IAMPolicy/IAMPolicyMember

[headcr4sh]

Describe the feature or resource
When creating an IAPIdentityAwareProxyClient it is right now not possible to grant access to the app and other HTTPS resources that use IAP.

See also: https://cloud.google.com/iap/docs/managing-access#add_access

Desired approach / example:

---
apiVersion: iap.cnrm.cloud.google.com/v1beta1
kind: IAPIdentityAwareProxyClient
metadata:
  name: iap-dependency
spec:
  displayName: "My IAP"
  brandRef:
    external: '${IAP_BRAND_ID?}'
...
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: iap-access
spec:
  resourceRef:
    # TODO This is not (yet?) possible, because IAMPolicyMember cannot reference IAP client resources.
    apiVersion: iap.cnrm.cloud.google.com/v1beta1
    kind: IAPIdentityAwareProxyClient
    name: iap-dependency
  role: roles/iap.httpsResourceAccessor
  member: 'group:${GOOGLE_GROUP_NAME?}@${GOOGLE_WORKSPACE_DOMAIN?}'
#...

Importance

Without this feature, access to resources protected by the IAPIdentityAwareProxyClient cannot be configured using Config Connector. Instead, an additional (speak: manual) step must be executed to update the IAM binding and manage access.

[diviner524]

@headcr4sh Thank you for your suggestion! This is a known limitation and we're currently working on it. We will let you know when we have more information.

[tedelwartowski-bestbuy]

@diviner524 - looking to understand if there has been any progress on this and if you have an idea on the timeframe when this will be available?

[caieo]

@tedelwartowski-bestbuy, IAM support is added in the v1beta1 version of IAPIdentityAwareProxyClient, which is why it is not currently supported by KCC. We have added it to our queue of resource enhancements that we will look into, but do not currently have a timeframe we can provide you.

Please reach out to us via Cloud support to prioritize your request if this is a blocker.