Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.

cloud run + load balancer ingress control

nc2
Silver 1
Silver 1

Hi all,

 

I have a Cloud Run Hello World Application and it is running behind a load balancer set up with a NEG. It is running HTTPS, and I issued a cert on the load balancer, and configured everything properly. I have this Load Balancer set up with IAP. IAP has the right permissions as a IAP Web-secure user, I have necessary Cloud run permissions as well.

When I type in the domain, I can login, but then it comes up with a 403 error

Error: Forbidden
Your client does not have permission to get URL / from this server.

I was wondering how I can fix this. Upon research I found. that VPC serverless access is something I can use? I don't know why the 403 is happening, if the ingress control for Cloud Run allows internal+external Application Load Balancer, and the external load balancer has a cert and an external ip, why is 403 occuring? what reasons wo

Solved Solved
0 1 1,256
1 ACCEPTED SOLUTION

nc2
Silver 1
Silver 1

Solution: when I enabled IAP, there was supposed to be an attached service account with the correct permissions in IAM.

No service account was auto generated, I had to manually make it with the correct name. 

service-[PROJECT_NUMBER]@gcp-sa-iap.iam.gserviceaccount.com

I never got this error: The IAP service account is not provisioned. Please follow the instructions to create service account and rectify IAP and Cloud Run setup:

I just had to randomly guess it was not being populated after examining the IAM. That was my solution after having proper permission for my user i wanted to go onto the site with, with an internal cloud run app linked internal to external application load balancer.

 

View solution in original post

1 REPLY 1

nc2
Silver 1
Silver 1

Solution: when I enabled IAP, there was supposed to be an attached service account with the correct permissions in IAM.

No service account was auto generated, I had to manually make it with the correct name. 

service-[PROJECT_NUMBER]@gcp-sa-iap.iam.gserviceaccount.com

I never got this error: The IAP service account is not provisioned. Please follow the instructions to create service account and rectify IAP and Cloud Run setup:

I just had to randomly guess it was not being populated after examining the IAM. That was my solution after having proper permission for my user i wanted to go onto the site with, with an internal cloud run app linked internal to external application load balancer.