How to protect Google Cloud Functions with Identity-Aware-Proxy

Question

I'm having trouble protecting my Google Cloud Function with the Identity-Aware-Proxy.

I'm still getting the "You don't have access" screen after the OAuth Consent screen even though I've done all steps as I understood them from the documentation (this one: https://cloud.google.com/iap/docs/enabling-compute-howto).

My setup: I've got a Google Cloud Function. This is accessible via a custom domain connected to a Google Cloud Load Balancer via a Backend Service.

I've configured the OAuth consent screen with "external" user type and added my Google account to the test users.

Then I've enabled IAP on that Backend Service and added the same Google account with the "IAP-secured Web App User" role.

The "Status" column on the IAP page says "OK". The Backend Service on the Load Balancer page also says "Identity-Aware Proxy: enabled". When I now try to access the previously publicly available domain for my Cloud Function I now get the Google login screen and after login I get redirected to the "You don't have access" screen.

Which steps did I miss or even misunderstand correctly?

I've enabled the Audit Log for "Cloud Identity-Aware Proxy API", but nothing gets logged to the Log Explorer when I login and get redirect to that "You don't have access" screen.

So, the screen indicates that I was successfully authenticated, however, not correctly authorized. Meanwhile the Audit Logs stay empty even though this page https://cloud.google.com/iap/docs/audit-log-howto indicates that it should log insufficient access levels. I'm confused.

Answer 1

after searching for a while I found out that the Identity-Aware-Proxy does not support cloud function and that is why you are getting the "You don't have access" message.

A possible solution could be to use Authorizing Access via IAM to protect your Cloud Function as you want, here is a guide that could help you understand it.

Best regards.