Reputation: 11
Three identical GCP projects/service, but only one works with IAP authentication
I have three projects under my organization on GCP (dev, staging, prod). The IAM settings are shared/set on the organizational level.
On each project I have made a Cloud Run app with the GCP example container "hello". Keep in mind that all of these setups are identical.
- I create the Cloud Run app
- I create a load balancer with all the configurations
- I connect a subdomain to the load balancer IP (different IP for each project).
- I setup OAuth Consent screen and IAP
- I add the relevant user (also the owner) as IAP-secured Web App User for the IAP for the service.
Worth mentioning: I have one domain, and have made three subdomains under it. dev.domain.com etc... I set the DNS settings accordingly to the load balancer.
The result is that one of these projects works with signing in and accessing the app. The other ones are forbidden with the detailed response: "The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header"
Yet another "check": If the Run app authentication settings is set to "allow unauthenticated invocations" all of them work. With "Require authentication" (IAP used) only one works.
So the question is: What can interfere/cause so that only one project can authenticate to the service while the other ones cant. Could it have something with the domain to do?
I have tried deleting one of the projects (that was not working) and remaking it again from scratch with the same results.
I bought a new domain and tried to connect that to one of the load balancers instead. But that didn't make a difference.
Upvotes: 1
Views: 435
Answers (1)
Reputation: 31
as I remember, the Google cloud documentation contains a recommendation to disable authentication on Cloud Run if traffic is passed through IAP; you can protect your instance by setting the --ingress parameter to "internal-and-cloud-load-balancing"
you can use Google Groups or an end-user account in IAP as an identifier for access to your instance
IAP & Identity Platform attach the custom header to a passed request so you can get a user identifier from it; if you use Python, please find a solution for this here.
Upvotes: 0
Related Questions
- Write rows to BigQuery via nodejs BigQuery Storage Write API
- Unable to find API's for BigQuery Routine using Node Module
- How to pass query statement to bigquery in node.js environment
- BigQuery stream to front-end with Express
- Stream a large Big-query SELECT with Node?
- Passing params from a Google Cloud Function GET Request to BigQuery
- Add Data from node.js to Google BigQuery Table
- Can I pass parameters of a function as part of a query in bigquery?
- How to stream JSON to BigQuery table using createWriteStream?
- Google BigQuery Node library: how to stream data in batches?