3

Aim: to enable Identity Aware Proxy (IAP) in conjunction with Kubernetes (k8s).

Methods:

Results

  • The Google login screen appears when one navigates to domain/app1
  • When the login succeeds a ‘default gateway - 404’ is shown instead of the app when IAP is disabled

Discussion

  • Should a redirect not be configured somewhere? When the authentication and authorization succeeds a URI _gcp_gatekeeper/authenticate was added and a 404 was returned, while a redirect to the app should be done right?
  • When an App engine is deployed, IAP is enable the IAP works out of the box. What makes this deploy different? Perhaps App Engine contains some elements that are omitted in k8s.

Current problem

When the authentication succeeds the following error is shown:

There was a problem with your request. Error code 11
Improve this question
3
  • Can you add the configuration yaml files to your question? It could help to reproduce your case and hopefully find a solution.
    – VAS
    May 17, 2018 at 18:46
  • Did you find a solution for this use case? I'm also having trouble configuring multiple IAP-protected backends under non-default paths.
    – dinvlad
    Jun 19, 2018 at 22:37
  • Actually you can now do this natively through Ingress! cloud.google.com/iap/docs/enabling-kubernetes-howto
    – user1460675
    Aug 3, 2018 at 22:20

1 Answer 1

Reset to default
1

To begin with, here’s some general information:

To get started with IAP in GCP, add an App Engine app or configure Cloud Load Balancer for IAP. In case you are running Kubernetes cluster, you may have the Load Balancer configured already.

Then you should enable IAP for it here: Menu -> Security -> Identity-Aware Proxy

And finally, that is the place where redirect URI can be configured. You can get there from previous step by selecting triple dot on the right side of your App/LB and choosing Edit OAuth Client.

Menu -> APIs & Services -> Credentials

Create OAuth clientID and set Authorized redirect URIs for it.

Authorized redirect URIs
For use with requests from a web server. This is the path in your application that users are redirected to after they have authenticated with Google. The path will be appended with the authorization code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address.

For App Engine apps this value is predefined, but you can adjust it according to your needs.

Improve this answer
1
  • 1
    It should be https://<some-domain>/_gcp_gatekeeper/authenticate right? This setting does not redirect to the app, but is required to authenticate or is this incorrect? At the moment a 404 - default gateway is shown. When IAP is disabled the app appears again. What is missing?
    – 030
    Jun 24, 2018 at 20:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .