I will explain the context, i have issues with the configuration of a External load balancer + cloud run, and using IAP access. I will expose two cases:
- First case: All the elements in the same project: load balancer, backends and cloud runs (its the most common explained) But the information is slightly outdated.
- Second case: Structure of shared VPC. About this case, there is not even documentation. I only found an post of support where this topic was discussed. The idea of this apprach is having a project that contains the load balancer and other project or projects where the backends and services are allocated. These approach is very common.
Firstly, I found guides like this ones : ( Cloud Run and IAP. Identity Aware Proxy(IAP) is a simple… | by Biju Kunjummen | Medium or in video but more old )
I have setup the same or even more things that appears in that video , i will show the screenshoots below, maybe i forgot something or i missunderstood some concepts.
In this first case, all the resources are in the same project. I was doing this to check how it works but i cant access but i really dont know why.
Cloud run Configuration
The backend is cloud run very simple, container hello (us-docker.pkg.dev/cloudrun/container/hello), the ingress is setup to be exposed throught the load balancer. Previously it has been tested to check it worked by exposing publicly.
In the security tab, i am only setup the IAP in the backend services, not in the applications in specific, because of that reason its enabled the allow public access in security.
Load Balancer Configuration
Frontend:
In the frontend:
- I have the reserved external IP 34.x.x.x.x
- Port 443
- 2 certs, why ? i tried first with a _nip.io cert how it did not works, i decided to use a real one but nothing new =(
This part i did not change anything. The rest of conf of the frontend.
Backend configuration:
Simply i have two backends:
- backend service which is the cloud run and is allocated in this project (host-cloud-run)
- Another similar backend service but is in other project to test the case 2 (test-backend)
URL map configuration:
We have the host with the two domain i mentioned: _nip.io and my own domain.
Certs:
These are the certs i setup for the load balancer, both of them have Active status and works.
Oauth config:
This is the configuration of the oauth, you can find it looking for oauth consent screen. Here there are two important thing as far as i know, this authorised domains, i have defined both.
And the scopes. In Audience, i am using INTERNAL.
These are the scope that are required for oauth.
IAP configuration:
In the iap configuration, i enabled the APIs they asked and i setup the next things:
-
Oauth configuration: Google-managed OAuth (recommended for simplicity)
-
Allowed Domains: this option AFAIK is to allow to access via IAP in that domains. So , i added my two domains.
Then, my first test were with no IAP setup and i could access to the cloud run from the domains with no issues.
Once i started to setup the IAP i got to be asked for logging but i cant access, this error message appears:
Obiously that data are:
- My account of google “name@email.com”
- Resource URL: “https:/_domainpro” , It happens too with https://_domain.pro/host that is the other path i defined in the url map.
Another configurations i did:
- I granted permissions of user iap web
- I created a firewall rule that allow all the ingress traffic for all the instances of the vpc for the IAP ranges(130.211.0.0/22, 35.191.0.0/16) in the ports TCP ports 443 and 80.
- I have granted the permissions cloud run invoker to the service account service-[PROJECT-NUMBER]@gcp-sa-iap.iam.gserviceaccount.com as the docs says(h_ttps://cloud.google.com/iap/docs/enabling-cloud-run#enable-from-iap)
So what can be the problem? i have not idea what more to check or setup.
In the case 2 i have several doubts. Because afaik the you setup the IAP configuration where the backends are allocated but that is not good in practice because if you have many service projects , it would be nice to have it centralized where the load balancer is setup. I found this Threat where this is explained Is it possible to use Identity-Aware Proxy to secure backends in different projects? , the answer of Pamela_11 is the only i can follow and it looks good but i have doubts how to do the configuration with that yaml .
PD: I put screenshoots but i am limited to two … even with embbeded links. So sorry if the things are less easy to read. I think with screenshoots is easier and faster to understand but ok.