Glad you found it useful! It’s important with more teams and engineers understand how to make good use of these services without wasting time on the same thing over and over again. Sharing is 🔑
Thank you for the kind words! Believe or not compliments like yours are what kept me going and doing this :) glad you are able to benefit from my content.
Thanks for the video. We have performed all the steps like client id,secret generation, redirect URL addition, IAP enablement using client ID and secret for the backend service, IAP service account creation, cloud run invoker and IAP web app secure user roles addition to it. .. However, even after doing all these steps, the issue we are having is that the backend service is "not appearing " in the APPLICATIONS tab of the IAP page in the console. This looks like a strange issue never seen in any of the IAP videos/articles. Can you please suggest what could have gone wrong from our end. Also, one more input to you is that we have the Load balancer in host project and backend service in service project (if that matters)
Amazing explanation! However, I have a doubt regarding the use of OAuth 2.0 creds in this whole setup. Does the OAuth client ID represent the backend service here, which is delegating authentication to IAP?
Thank you and I don't think this was explained well in the video. I did some more reading and one thing I noticed here is the docs here on how to create the backend service of LB has changed cloud.google.com/iap/docs/enabling-cloud-run#enabling. As you can see at 15:08 in the video it use to require the client_id and client_secret to create the backend to enable IAP, but that doesn't seem to be there anymore. The latest docs has a note saying "The ability to authenticate users with a Google-managed OAuth client is available in Preview.". Well technically if it's in preview it should not update the docs to remove this option but if it is true then it means by default it will use the google managed oauth client and creating the credentials manually is no longer required. I've not tested this out yet but I think it's worth trying it without using a custom credential and just enable IAP. I think it makes sense as creating it manually and then specify is a lot faff as you need to manage the secret rotation etc yourself.
And my understanding the way this works is when a user comes in, the user will pass the auth header, the load balancer backend will intercept and use IAP to do the verification to see if the user has permission or not which is defined in IAM with the user group. Because the IAP SA has been granted the invoker access to the cloud run service, hence user will be granted access after passing through the IAP validation
If your organisation is already using Okta as the main identify provider I don’t believe you need to do anything as IAP handles auth via Google workspace identify. If this isn’t the case, maybe have a look at this cloud.google.com/iap/docs/enable-external-identities although it’s questionable why using workspace identify directly while also having Okta as the identify provider.
I have done as you have described in the video, however after loggig in as a verified gmail user, i am getting no healthy upstream error, i have added health check but iap is not letting it pass as backend is configured for http = port 80
I don’t believe IAP works with http, you need to use https listen on port 8080, if I remember correctly, this is the default port of cloud run. Port 80 won’t work.
Do you mean the IAP service account? If I remember correctly you need to assign the Cloud Run Invoker role to the Cloud Run service you have created, otherwise it won’t be able to call it.
@@practicalgcp2780 I have added cloud run invoker role, secret manager accessor role, and IAP secure web app accesor role, and the app is only working when allow unathenticated access, for some reason my load balancer IP address is giving me error code 52, when i send request directly.
@@practicalgcp2780 done what you have highlight at 13:12, now when i access the app after allowing un authenticated access i am able to access it, but when i click on load balancer ip i am getting error code 53, and when i dont allow auntheticated access and add require authentication with load balancer , i am getting cannot access URL Error
@@dhirajpal1495not something I tried, I am not sure that is the right use case. iAP is mainly for internal applications authentication, for API I am not sure this is the right use case for IAP
![[#2024MAMA] G-DRAGON - 무제(Untitled, 2014)+POWER+HOME SWEET HOME+뱅뱅뱅+FANTASTIC BABY | Mnet 241123 방송](http://i.ytimg.com/vi/Ox29z5Nf1Uk/mqdefault.jpg)
Kudos! Amazing content. This kind of content i am looking for. Thank you!
This is absolutely fantastic! Keep making more videos please! I love the full demonstration of all of these different topics in your videos.
Glad you found it useful! It’s important with more teams and engineers understand how to make good use of these services without wasting time on the same thing over and over again. Sharing is 🔑
Simply the best (and only) clear explanation of how this works. Thank you very much.
Glad it helped!
I’m super glad I found your channel on TH-cam. I love your content and the way you are going through examples. Can’t wait for next videos! Cheers!
Thank you for the kind words! Believe or not compliments like yours are what kept me going and doing this :) glad you are able to benefit from my content.
This is really an amazing video. especially the trouble shooting part. very clear😊 Love it!!
Glad it helped!
I like this video, it is the most informational and practical video for the topic IAP. Thanks for sharing
Glad it was helpful!
Thank you for this great video. It added a lot to my understanding of this subject!
You are welcome ❤
Thanks for the video. We have performed all the steps like client id,secret generation, redirect URL addition, IAP enablement using client ID and secret for the backend service, IAP service account creation, cloud run invoker and IAP web app secure user roles addition to it. .. However, even after doing all these steps, the issue we are having is that the backend service is "not appearing " in the APPLICATIONS tab of the IAP page in the console. This looks like a strange issue never seen in any of the IAP videos/articles. Can you please suggest what could have gone wrong from our end. Also, one more input to you is that we have the Load balancer in host project and backend service in service project (if that matters)
Thanks a lot, Great Video. Can you Please tell me which video recording/editing tool is being used?
Thank you 🙏 I use Camtasia
Amazing explanation! However, I have a doubt regarding the use of OAuth 2.0 creds in this whole setup. Does the OAuth client ID represent the backend service here, which is delegating authentication to IAP?
Thank you and I don't think this was explained well in the video. I did some more reading and one thing I noticed here is the docs here on how to create the backend service of LB has changed cloud.google.com/iap/docs/enabling-cloud-run#enabling. As you can see at 15:08 in the video it use to require the client_id and client_secret to create the backend to enable IAP, but that doesn't seem to be there anymore. The latest docs has a note saying "The ability to authenticate users with a Google-managed OAuth client is available in Preview.". Well technically if it's in preview it should not update the docs to remove this option but if it is true then it means by default it will use the google managed oauth client and creating the credentials manually is no longer required.
I've not tested this out yet but I think it's worth trying it without using a custom credential and just enable IAP. I think it makes sense as creating it manually and then specify is a lot faff as you need to manage the secret rotation etc yourself.
And my understanding the way this works is when a user comes in, the user will pass the auth header, the load balancer backend will intercept and use IAP to do the verification to see if the user has permission or not which is defined in IAM with the user group. Because the IAP SA has been granted the invoker access to the cloud run service, hence user will be granted access after passing through the IAP validation
I have to integrate with okta. How to handle this scenario in my next js application .Any suggestion pleae
If your organisation is already using Okta as the main identify provider I don’t believe you need to do anything as IAP handles auth via Google workspace identify.
If this isn’t the case, maybe have a look at this cloud.google.com/iap/docs/enable-external-identities although it’s questionable why using workspace identify directly while also having Okta as the identify provider.
I have done as you have described in the video, however after loggig in as a verified gmail user, i am getting no healthy upstream error, i have added health check but iap is not letting it pass as backend is configured for http = port 80
I don’t believe IAP works with http, you need to use https listen on port 8080, if I remember correctly, this is the default port of cloud run. Port 80 won’t work.
Thaks a lot, but I getting stuck on what permissios to be assigned for this service account, I am using cloud build with cloud run for CI/CD
Do you mean the IAP service account? If I remember correctly you need to assign the Cloud Run Invoker role to the Cloud Run service you have created, otherwise it won’t be able to call it.
@@practicalgcp2780 I have added cloud run invoker role, secret manager accessor role, and IAP secure web app accesor role, and the app is only working when allow unathenticated access, for some reason my load balancer IP address is giving me error code 52, when i send request directly.
At 13:12 I explained this part.
@@practicalgcp2780 i see , i see a small error, instead of project id it should be project number, that long number is project number and not id.
@@practicalgcp2780 done what you have highlight at 13:12, now when i access the app after allowing un authenticated access i am able to access it, but when i click on load balancer ip i am getting error code 53, and when i dont allow auntheticated access and add require authentication with load balancer , i am getting cannot access URL Error
slides are here docs.google.com/presentation/d/1Vy8tH70jyzUlGFXu9Cfjl9B9ACrby8mPZ09p9CvPqvo/edit?usp=share_link
can we apply IAP on apigee proxy api ?
@@dhirajpal1495not something I tried, I am not sure that is the right use case. iAP is mainly for internal applications authentication, for API I am not sure this is the right use case for IAP