1

I have three projects under my organization on GCP (dev, staging, prod). The IAM settings are shared/set on the organizational level.

On each project I have made a Cloud Run app with the GCP example container "hello". Keep in mind that all of these setups are identical.

  1. I create the Cloud Run app
  2. I create a load balancer with all the configurations
  3. I connect a subdomain to the load balancer IP (different IP for each project).
  4. I setup OAuth Consent screen and IAP
  5. I add the relevant user (also the owner) as IAP-secured Web App User for the IAP for the service.

Worth mentioning: I have one domain, and have made three subdomains under it. dev.domain.com etc... I set the DNS settings accordingly to the load balancer.

The result is that one of these projects works with signing in and accessing the app. The other ones are forbidden with the detailed response: "The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header"

Yet another "check": If the Run app authentication settings is set to "allow unauthenticated invocations" all of them work. With "Require authentication" (IAP used) only one works.

So the question is: What can interfere/cause so that only one project can authenticate to the service while the other ones cant. Could it have something with the domain to do?

I have tried deleting one of the projects (that was not working) and remaking it again from scratch with the same results.

I bought a new domain and tried to connect that to one of the load balancers instead. But that didn't make a difference.

Flamingow
  • 11
  • 2

1 Answers1

0

  1. as I remember, the Google cloud documentation contains a recommendation to disable authentication on Cloud Run if traffic is passed through IAP; you can protect your instance by setting the --ingress parameter to "internal-and-cloud-load-balancing"

  2. you can use Google Groups or an end-user account in IAP as an identifier for access to your instance

  3. IAP & Identity Platform attach the custom header to a passed request so you can get a user identifier from it; if you use Python, please find a solution for this here.

Iurii Tarasenko
  • 31
  • 2
  • Hello and thank you for your comment. 1. only "ingress internal" goes to "Access Forbidden" without consent screen. The "req authentication" at least goes to the oauth consent screen. The working project got both "req authentication" and "ingress internal" on. 2. in IAP i have set my account as IAM-secured Web App User. 3. I dont fully understand this one. Is this for controlling signed headers? I use Node. Because one of my project works perfectly with my setup i doubt its the actual setup but instead some interference between the projects under the same org. – Flamingow Feb 23 '23 at 22:14