3

I'm having trouble protecting my Google Cloud Function with the Identity-Aware-Proxy.

I'm still getting the "You don't have access" screen after the OAuth Consent screen even though I've done all steps as I understood them from the documentation (this one: https://cloud.google.com/iap/docs/enabling-compute-howto).

My setup: I've got a Google Cloud Function. This is accessible via a custom domain connected to a Google Cloud Load Balancer via a Backend Service.

I've configured the OAuth consent screen with "external" user type and added my Google account to the test users.

Then I've enabled IAP on that Backend Service and added the same Google account with the "IAP-secured Web App User" role.

The "Status" column on the IAP page says "OK". The Backend Service on the Load Balancer page also says "Identity-Aware Proxy: enabled". When I now try to access the previously publicly available domain for my Cloud Function I now get the Google login screen and after login I get redirected to the "You don't have access" screen.

Which steps did I miss or even misunderstand correctly?

I've enabled the Audit Log for "Cloud Identity-Aware Proxy API", but nothing gets logged to the Log Explorer when I login and get redirect to that "You don't have access" screen.

So, the screen indicates that I was successfully authenticated, however, not correctly authorized. Meanwhile the Audit Logs stay empty even though this page https://cloud.google.com/iap/docs/audit-log-howto indicates that it should log insufficient access levels. I'm confused.

Simon Knittel
  • 1,730
  • 3
  • 15
  • 24
  • It's not yet officially possible and there is authentication issues, like that. Stay tuned! – guillaume blaquiere Apr 17 '21 at 13:00
  • @guillaumeblaquiere Thanks for the response. You are saying that IAP + Load Balancer + Cloud Function in combination is not possible at the moment, am I understanding that correctly? – Simon Knittel Apr 17 '21 at 14:02
  • try adding "allAuthenticatedUsers" in the IAP tunnel users. It will make your backend available to all authenticated users. See if you are able to use the app then. That way, you will be able to narrow down on whether its an IAP issue or IAM permission issue. – dishant makwana Apr 17 '21 at 14:08
  • @dishantmakwana Thanks for the response. I just tried that and waited a few minutes so it can propagate properly. I even tried setting it to "allUsers". However, it didn't make a difference. Even with allUsers the login screen shows up which it shouldn't in this case. – Simon Knittel Apr 17 '21 at 14:21
  • That's weird. Adding "allAuthenticatedUsers" should make your app open to all google accounts. Are you sure you are adding it in the right place? – dishant makwana Apr 17 '21 at 14:34
  • On the page for Identity-Aware-Proxy I do have two Backend Services. For one of those two IAP is enabled. Therefore the login screen shows up. Then I click on that Backend Service so the sidebar on right pops up and I add a member with allUsers, allAuthenticatedUsers or whatever and the "IAP-secured Web App User" role. That should be it. – Simon Knittel Apr 17 '21 at 14:38
  • Looks like is needed to use as well Cloud [IAM](https://cloud.google.com/iam/docs/understanding-roles) roles, as seen in ["How IAP works"](https://cloud.google.com/iap/docs/concepts-overview) on Cloud Run's image. But this is an experiment, because there is no documentation about Cloud Functions so it should not be supported... – Pit Jun 03 '21 at 10:42

1 Answers1

1

after searching for a while I found out that the Identity-Aware-Proxy does not support cloud function and that is why you are getting the "You don't have access" message.

A possible solution could be to use Authorizing Access via IAM to protect your Cloud Function as you want, here is a guide that could help you understand it.

Best regards.

Robertocd_98
  • 404
  • 2
  • 8
  • That would only work if I would use the Domain/URL generated by GCP for that specific function. However, I want to move my functions behind the load balancer with a custom domain. Therefore the need of IAP. – Simon Knittel Jun 23 '21 at 14:27
  • 1
    I try to use Cloud Functions with Firebase hosting instead of the Load Balancer, but I got the same error, after searching for a while I think that is not possible to use IAP with cloud function with custom domain, I think that the best workaround is to use Cloud Run instead of Cloud Function – Robertocd_98 Jun 28 '21 at 13:45