This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

cloud run + load balancer ingress control

Posted on 08-16-2024 11:04 AM
nc2
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi all,

 

I have a Cloud Run Hello World Application and it is running behind a load balancer set up with a NEG. It is running HTTPS, and I issued a cert on the load balancer, and configured everything properly. I have this Load Balancer set up with IAP. IAP has the right permissions as a IAP Web-secure user, I have necessary Cloud run permissions as well.

When I type in the domain, I can login, but then it comes up with a 403 error

Error: Forbidden
Your client does not have permission to get URL / from this server.

I was wondering how I can fix this. Upon research I found. that VPC serverless access is something I can use? I don't know why the 403 is happening, if the ingress control for Cloud Run allows internal+external Application Load Balancer, and the external load balancer has a cert and an external ip, why is 403 occuring? what reasons wo

Solved Solved
0 1 1,288
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
nc2
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Solution: when I enabled IAP, there was supposed to be an attached service account with the correct permissions in IAM.

No service account was auto generated, I had to manually make it with the correct name. 

service-[PROJECT_NUMBER]@gcp-sa-iap.iam.gserviceaccount.com

I never got this error: The IAP service account is not provisioned. Please follow the instructions to create service account and rectify IAP and Cloud Run setup:

I just had to randomly guess it was not being populated after examining the IAM. That was my solution after having proper permission for my user i wanted to go onto the site with, with an internal cloud run app linked internal to external application load balancer.

 

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
nc2
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Solution: when I enabled IAP, there was supposed to be an attached service account with the correct permissions in IAM.

No service account was auto generated, I had to manually make it with the correct name. 

service-[PROJECT_NUMBER]@gcp-sa-iap.iam.gserviceaccount.com

I never got this error: The IAP service account is not provisioned. Please follow the instructions to create service account and rectify IAP and Cloud Run setup:

I just had to randomly guess it was not being populated after examining the IAM. That was my solution after having proper permission for my user i wanted to go onto the site with, with an internal cloud run app linked internal to external application load balancer.

 

Jump to Solution
0 Likes