Re: IAP Secured Cloud Run set to allow all ingress...

TimoGlastra · 03-14-2023 06:32 AM

We have deployed a Load balancer with serverless NEG that points to a Cloud Run service. The Cloud Run service allows all ingress, but is restricted using iam policies that restrict access to certain service accounts (from other cloud run services).

Access over the public internet is only possible through the load balancer and has been set up for our GSuite domain. This all works nicely, and we can access the service only through the load balancer with correct credentials.

Recently we've been generalizing our infrastructure to be able to deploy multiple environments. The general setup of the infrastructure has stayed the same.

Since the re-deploy we now lost access to the service even when authenticated through IAP. I found the following documentation for IAP with Cloud Run that mentions the following limitation:

While IAP for Cloud Run is in Preview, IAP must be configured to grant allUsers the Invoker role on the Cloud Run service. You can still lock down access at the network level so all external requests must be authorized via IAP. See Configuring Cloud Run to limit access for more information. Before IAP enters General Availability, you'll be able to explicitly grant a project-specific IAP service account the Invoker role on the Cloud Run service and granting allUsers will no longer be required.

Based on this limitation it makes sense that the redeployed version of our infrastructure doesn't work, as we didn't give allUsers the invoker role on our Cloud Run service. But then I'm wondering how our current infrastructure setup could ever work. For the current infrastructure, the public cloud run service url (the generated one by google cloud) gives the Forbidden screen when accessing, as it's not set up for public access. However when accessing through the load balancer, we're able to access the service just fine. The limitation mentions that

Before IAP enters General Availability, you'll be able to explicitly grant a project-specific IAP service account the Invoker role on the Cloud Run service and granting allUsers will no longer be required.

Is there some workaround that made it work for us with IAP without granting allUsers access to the resource? We're using the public url for service to service communication as it means we don't have to set up a VPC for internal access to services.

mentions during Pre-GA

djs_75

What was your OAuth consent set to within IAP? Was it internal users (Programmatically creating OAuth clients for IAP | Identity-Aware Proxy | Google Cloud) as that would be a way that allowed it to work. I would verify what your brand setting is set to and you can manage access based on brand

djs_75

I would typically put what you outlined behind Apigee and let the API gateway handle it, but I understand your approach, which means you have to manage the internal and external behaviour with IAP OAuth consent or with a Context Aware policy. My guess is the on your service you had set for "Allow internal traffic and from Cloud Load Balancing" see table on Restricting ingress for Cloud Run | Cloud Run Documentation | Google Cloud

TimoGlastra

Thanks for the reply @djs_75.

The OAuth consent screen is set to internal on both the old deployed infrastructure and the new one.

The service is configured with Allows All access, so the URL can be reached publicly, but it's just only accessible if you have the proper authentication. For other cloud run services calling this service it's done using service authentication directly to the cloud run service (specific accounts are given access), and for the external calls it's managed through the load balancer.

I'll look into Apigee and how that could help.

djs_75

you could force it with VPC Service Cntrols as well. That said, try this :

o for IAP authenticate users, ensure that your request to the application is in the following format: YOUR_APP_URL?gcp-iap-mode=FORCE_LOGIN

This enforces authentication to all incoming requests and redirects the request to YOUR_APP_URL after successful authentication, even when allUsers is set and your Service (Security tab) set to "Allow unauthenticated invocations". I don't typically do it this way as it is an extra step outside my automation - For reference Use IAP as an authentication proxy | Identity-Aware Proxy | Google Cloud

TimoGlastra

Sorry, I'm not 100% sure how this will solve the issue. The IAP authentication is working fine, and we're only being able to access it with the configured members (our gsuite domain), however the requests loses it's identity and thus it will throw a 403 when it finally reaches the cloud run service.

djs_75

from your earlier reply - the context appeared to be the other way around

djs_75

Interesting, is it an internal or external HTTPS load balancer?

If External, is it global or classic?

TimoGlastra

It's a global external HTTPS load balancer.

Using this: https://registry.terraform.io/modules/GoogleCloudPlatform/lb-http/google/latest/submodules/serverles...

djs_75

if internal - are you using a url mask?

TimoGlastra

Not using an url mask, no

djs_75

Serverless network endpoint groups overview | Load Balancing | Google Cloud

I would add a url map

IAP Secured Cloud Run set to allow all ingress but not grant access to allUsers