Reputation: 3945
GCP IAP There was a problem with your request. Error code 11
I configured Google Cloud IAP for AppEngine, and then, when I try to access my app, I login to my google account, and I am redirected to this url:
project-id.appspot.com/_gcp_gatekeeper/authenticate?state=long-state-string&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email&authuser=2&hd=domain.com&session_state=a23b09e8ae90697d931d96068fdcf163a7a71010..9268&prompt=consent
This page just shows the following error, and nothing else matters:
There was a problem with your request. Error code 11
Tried looking for logs everywhere but in vain. @Matthew Sachs Do you have any idea ?
Upvotes: 8
Views: 4023
Answers (2)
Reputation: 5145
Just ran into this and have a theory about cause and additional details about solution.
giotr's theory of cause has merit:
Ran into this issue in July 24th, reset worked, then ran into it again in Sept 12th.
Notice that's ~2-3 months / about the time it takes for an ephemeral ACME provisioned HTTPS cert to rotate before expiring. I'm guessing there's some logic that occasionally glitches up where the cert rotating can cause an issue due to imperfect software logic that results in a semi rare bug with IAP that requires a reset to solve.
More details about the fix:
- Turn off and back on can fail if you do it too quickly.
- Try turn off, wait 5 min, verify no longer protected by IAP, turn back on, wait 5 min, retest.
- If that doesn't work another thing to try is. Identify the backend service. Reboot backend service. Turn IAP off, wait 5 min, verify no longer protected by IAP, turn back on, wait 5 min, retest.
Update (possibly found root cause):
- The fix still works, but the theorized root cause seems to be incorrect, as it happened again within after 2 weeks, so the theory of HTTPS cert refresh stops making sense.
- New observation lead to a new theory. 6 environments were protected by IAP, but 5 of 6 environments would work perfectly / never break. 1 of 6 environments would periodically break randomly without cause. Noticed an important difference in the 1 environment that kept breaking. It's IAP ID/Secret stored in a kube secret (the kube secret was sourced from a kube software bot called "external secrets operator", that fetched it from GCP secrets manager which might not be relevant, but worth mentioning), had a new line at the end of the secret. The other 5 environments that were bulletproof (as in never broke) had no new line at the end of the secrets contents.
- So the point is if you're running into inconsistent odd breakage, check if your kube secret has a new line at the end of the secret, and remove the new line, before doing the fix, that newline leading to inconsistency may be the root cause.
Upvotes: 0
Reputation: 519
Experienced this when setting up a new project and the solution was to turn IAP off and then back on again.
Not a great answer but hopefully will help.
Upvotes: 8
Related Questions
- Error: Server Error The server encountered a temporary error and could not complete your request. Please try again in 30 seconds.(GCP)
- What causes "Request was aborted after waiting too long to attempt to service your request"?
- (gcloud.app.deploy) Error Response: [13] Unexpected Error
- GCP AppEngine nodejs The server encountered an error and could not complete your request
- Google Cloud IAP, authorisation with bearer token gives error code 13 and app engine instance is never reached
- Got no response when call GCP API status
- GCP: ERROR: (gcloud.services.enable) PERMISSION_DENIED: The caller does not have permission when enabling API
- zone does not have enough resources available to fulfill the request. Try a different zone, or try again later
- not have enough resources available to fulfil the request try a different zone
- Google IAP keeps responding with 401 Unauthorized