I want to implement role based access on my APIs at a method level. e.g. to invoke a given method on the API the caller must have a 'myapp.api.write' role. I cannot find a way to do this when a service account calls my API, but have a solution for when an end user calls the API.
Front end users are authenticated using Firebase, custom claims are created on the user to define the roles the user has. The NestJS application checks the roles in the JWT claim at a method level implementing role based access for end users. This works very well.
However....some APIs are called from other App Engine applications. I want to implement role based access in this context, i.e. App Engine A can invoke GET on App Engine B, but not POST. I am struggling with how to achieve this. I can use an identity aware proxy but this will not give control at endpoint or method level - just the whole App, it is all or nothing. My next approach was to get App Engine A to send a JWT to App Engine B and then add a custom role to the service account App Engine A is running under. My problem with this approach is that you cannot create custom permissions for a service account, and you can't create a custom role without a permission. I was hoping to create a custom permission such as 'myproject.data.read' and check that the calling service account had this permission within App Engine B.
Has anyone else attempted anything like this and got it to work in another way?