IAP for Cloud Run shows “ServiceNotAllowed” despite services and IAM enabled

Google Cloud Serverless Applications
1

I’m trying to secure a Cloud Run service with Identity-Aware Proxy in a Cloud Identity Free org (no Workspace subscription).

  • IAP is enabled on the Cloud Run service.

  • My user has roles/iap.httpsResourceAccessor.

  • The IAP-managed service account (service-PROJECT_NUMBER@gcp-sa-iap.iam.gserviceaccount.com) has roles/run.invoker.

  • An Internal OAuth consent screen is configured in the same project.

  • All “Additional Google Services” (including Google Cloud / IAP) are turned ON for my OU in the Admin Console.

  • I can log into console.cloud.google.com with this account.

Problem:
When I try to access the Cloud Run URL, I am redirected to: https://access.workspace.google.com/ServiceNotAllowed?application=…

“We are sorry but you do not have access to this service. Please log in to your Admin Console ot enable this service.”

instead of the IAP login/consent screen or the app.

Troubleshooting done:

  • Verified OAuth brand exists (Internal).

  • Tested in Incognito with only corp account signed in.

  • Re-applied IAM bindings for both user and IAP service account.

What else could cause the IAP browser flow to be redirected to ServiceNotAllowed in a Cloud Identity Free organization, given that all required services and roles appear to be enabled? Is it mandated to have a workspace subscription?

2

I do not know what “Cloud Identity Free” implies. To use IAP you need a Cloud Organization. You do not need Workspace. I am not sure how Workspace is relevant.

Are you following these steps?

Have you got IAP to work with internal users?

You need to create an OAuth app or consent screen, to allow external users - users outside the organization - to access your Cloud Run service through IAP. Did you follow these steps?

5

Hi Burnett,

In addition to dchiesa1’s insight, the error possibly indicates limitations and dependencies of Cloud Identity Free when securing your Cloud Run service with Identity-Aware Proxy authentication flow.

If you’re trying to secure internal user authentication, IAP is the recommended approach. However, you’re likely running into a limitation of Cloud Identity Free. Alternatively, you might want to explore other methods like Identity Platform or Firebase Authentication for your authentication flow if your main goal is to authenticate the end-users.

Additionally, configuring IAP for Cloud Run is currently in Preview, meaning it may not yet offer the expected quality and might have limited support. However, you can expect the quality to improve as the feature matures.

6

Facing a similar (or identical) issue here, also an organisation with Cloud identity configured

I’m wanting to avoid configuring an additional load balancer for an internal app for members in our organisation. The auth flow leads us to the Google consent screen → Our own IdP → ServiceNotAllowed

Logs state it’s a Permission denied. Notably, I do not see any AuthorizationInfo in the protoPayload.