2

I want to run a Cloud Run service behind an external HTTPS LB and IAP. After setting everything up, I still get a 403 Forbidden when trying to access the Service via the URL pointing to the LB (after IAP login pops up and I sign in). I presume this is because the Cloud Run service Auth configuration is set to 'Require Authentication' and according to Google Documentation it needs to be 'Allow Unauthenticated Invocations'. Unfortunately, according to an Organization policy, this is not possible.

However, I noticed I have another Cloud Run service (in another Organization) with basically the same setup (HTTPS LB and IAP enabled for the service), and here I can access the Service through the IAP even though the Cloud Run Service is set to 'Require Authentication'. So there seems to be a way to have a Cloud Run Service with Authentication AND IAP, but I can't figure out how (or why it works for one service and not for the other one). What could be the reason for that?

T0bz
  • 21
  • 2
  • Do you have the roles to access the Service (Cloud Run invoker) and for IAP in your account? – Puteri Oct 24 '22 at 16:22
  • yes, I have the Cloud Run invoker roke and the IAP secured web app user role. But in the szenario in which I can access the cloud run backend with auth required through IAP, it also works for users who only have the IAP secured web app user role but not the cloud run invoker role. – T0bz Oct 24 '22 at 16:36
  • 1
    What about the ingress settings? It is allowing internal traffic only or internal + LB traffic? – Puteri Oct 24 '22 at 16:46
  • 1
    It is internal + LB traffic in both cases – T0bz Oct 24 '22 at 16:48
  • Did you get any further on this? I'm having the exact same issue with an environment working as we want it, but another one, using the same setup, is not. – David Jungermann Jan 19 '23 at 15:24

0 Answers0