1

I am trying to setup a python app on GCP Cloudrun I need only authenticated users to be able to access the Cloudrun URL but I am facing 403 issue when I set up this app. Is there any alternative way to access the Cloudrun instance using browser provided it is configured to allow only authenticated users?

This is the flow which i am trying to implement :

HTTP(S) Load balancer -> Frontend forwarding rule -> Cloudrun Backend -> Python app deployed on Cloudrun

I have saw few other questions and tried that solution but it does not work few such similar questions would be :

403 "Error: Forbidden" when opening the URL of my Cloud Run service

sidharth vijayakumar
  • 1,190
  • 5
  • 29
  • 1
    Can you try to activate IAP in front of your Cloud Run? It should solve your issue. https://cloud.google.com/iap/docs/enabling-cloud-run – guillaume blaquiere Jun 27 '22 at 12:17
  • I have followed the steps listed in the URL i will explain what i have done. I first went to identity aware proxy then selected my cloud run backend from there i clicked use external identities for authorization. Then i got a login url but when i open that url it says invalid api key. Any clue what could be the issue ? – sidharth vijayakumar Jun 28 '22 at 07:57

2 Answers2

0

If you're currently getting 403, it means you don't have the necessary permission to access the service (the App was deployed to cloud with the option to use 'authenticated' invocation which means you can't access it by directly typing the URL in the browser). You can do any of the following

  1. Generate a token and then use curl to invoke your url using that token. See Google Documentation on this and a more detailed explanation from Google here. But you can't be doing this each time you wish to invoke the service. It's more for testing.

Update: The solution below was to allow him to actually see the App run in the browser but reread the question and see that OP wants only authenticated users to access the App.

2. Redeploy the App to Cloud Run but make sure you choose the option to allow for 'unauthenticated invocation'. See step 3.iv of this [blog article][3] we wrote on deploying to cloud run
NoCommandLine
  • 5,044
  • 2
  • 4
  • 15
  • I cannot deploy it in the 2nd way as there is a policy which will not let me do that. Is there any other way to get this working through browser? – sidharth vijayakumar Jun 28 '22 at 06:43
  • ahh, just saw that you need only authenticated users to access the App so the 2nd way won't work. Don't know any other way different from the other SO question you already pointed to – NoCommandLine Jun 28 '22 at 13:42
0

After trying out IAP as said by @guillaumeblaquiere i was able to fix this issue. Thanks a lot as there is ver less documentation on how to fix this i have recorded steps that i implemented to fix this issue :

Accessing applications on Authenticated Cloud Run using IAP

sidharth vijayakumar
  • 1,190
  • 5
  • 29