Reputation: 117
IAP GCIP integration results in HTTP 404 error on /config resource
Trying to integrate Github OAUTH2 using Google Cloud Identity Platform and Identity Aware Proxy on GCP and Firebase UI deployed on Cloud Run (out-of-the-box). I have owner role for this account
Getting following error from browser console, when trying to access protected application. Redirection seems to be happening but the firebase UI is not shown.
A specified resource is not found, or the request is rejected by undisclosed reasons
The resource url resulting in HTTP status 404 is https://iap-gcip-hosted-ui-app-engine-app-app-specific-code-de.a.run.app/config
Do I require any specific privilege besides the Owner role. Below url is accessible, which is meant for configuring firebase UI
https://iap-gcip-hosted-ui-app-engine-app-app-specific-code-de.a.run.app/admin
Upvotes: 1
Views: 961
Answers (3)
Reputation: 1
The container can output debug logs if the environment variable DEBUG_CONSOLE=true is set. I recommend checking the debug log when accessing /config. In my case, as indicated in the log below, it was due to the Compute Engine API not being enabled.
GET404 869B 1.2s Chrome 122 https://iap-gcip-hosted-ui-app-engine-app-xxxxxxxxxx-an.a.run.app/config
GET to http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id
200 response
GET to https://storage.googleapis.com/storage/v1/b/gcip-iap-bucket-iap-gcip-hosted-ui-app-engine-app-xxxxxxxxxxxx/o/config.json?alt=media
404 Response: The specified bucket does not exist.
GET to https://identitytoolkit.googleapis.com/admin/v2/projects/xxxxxxxxxx/config
200 response
GET to https://compute.googleapis.com/compute/v1/projects/xxxxxxxxxx/global/backendServices
403 Response: {
error: {
code: 403,
message: 'Compute Engine API has not been used in project test-geake before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=test-geake then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.',
errors: [ [Object] ],
status: 'PERMISSION_DENIED',
details: [ [Object], [Object] ]
}
}
ref: https://github.com/GoogleCloudPlatform/iap-gcip-web-toolkit/tree/master/authui-container
Upvotes: 0
Reputation: 1
I was running into a similar symptom, and the problem was that I didn't have any "Identity Providers" enabled other than "Anonymous", which the GCIP tool didn't know how to use.
Upvotes: 0
Reputation: 117
Looks like a bad reference to auth ui project. Reuploading auth ui project to the firebase hosting (associated with gcp project) made it work
Upvotes: 0
Related Questions
- IAP accepts expired token in GCP
- Invalid IAP credentials: JWT audience doesn't match this application
- Connection via Cloud Identity-Aware Proxy Failed
- Can't connect via IAP to GCP instance running Ubuntu 22.04 LST
- Code: 4010 - Connection via Cloud Identity-Aware Proxy Failed
- Identity-Aware Proxy Error in Google Cloud Platform 4003
- GCIP - enable authorization code grant flow using OIDC based external provider
- Unable to enable CORS requests to a Google App Engine IAP
- Identity Aware Proxy(IAP) in GCP
- Google Identity-Aware Proxy (IAP) timeout error