We are considering a configuration that connects to Google Workspace via Identity Aware Proxy.
I have done the following setup and it is returning ErrorCode 52.
(1) Create a custom URL in Google Workspace
For Google drive: http://drive.mydomain.com
(2) Create a network endpoint for the custom URL
(3) Configure HTTPS load balancer and specify the network endpoint as the backend
URL: https://iap.mydomain.com
(4) Enable IAP
We have confirmed that Google drive can be accessed via the load balancer with IAP turned off.
Also, when IAP is enabled, accessing with an account that does not have access rights will lead to the screen as expected.
The access by the account with access rights is not working.
I issued a wildcard certificate ("*.mydomain.com") and connected it to the load balancer, but this did not change the situation.
I also added "*.mydomain.com" to the allowed domains with the following command, but this was not valid either.
gcloud iap settings set SETTING_FILE.json --project=myprojectid --resource-type=iap_web
Is what I am trying to do feasible with IAP?
Are there any other settings I should do?
(I connect to the Internet via a corporate proxy.)
Documents I referred to when troubleshooting
https://cloud.google.com/iap/docs/allowed-domains
https://cloud.google.com/iap/docs/faq
Related
I'm trying to implement cloud-run services to service communication.
Aim: service A (frontend) need to call service B (content-api) which is connected to cloud SQL DB.
Implemented using official doc - https://cloud.google.com/run/docs/authenticating/service-to-service
My present setup is as below
Frontend service config
Created a new service account and attached it.
Created a serverless VPC connector in the host project and configured it with all traffic through this connector.
Ingress is set to allow all traffic
Authentication is set to allow unauthenticated invocations
Content-api config
Create another new service account and attached it.
Used the same serverless vpc access connector which is in the host project and configured with all traffic through this connector.
Ingress is set to allow internal traffic only.
Authentication is set to required authentication (frontend service code is fetching token from metadata server and is able to connect using that token)
Also configured cloud run invoker role for frontend service account principle in content-api (show info panel settings).
Expecting to get data from content-api when frontend service is triggered.
I'm able to trigger frontend service but getting access forbidden error (guessing due to content-api is set to allow internal ingress only ). But when I change that content-api ingress setting to allow all traffic. It Is working fine - requesting a token and using that to call content-api and which queries DB and responds with the expected value.
what could be the cause for the internal setting error ( Access Forbidden )? And how to resolve this? Thanks in advance for your answers/suggestions.
I want to run a Cloud Run service behind an external HTTPS LB and IAP. After setting everything up, I still get a 403 Forbidden when trying to access the Service via the URL pointing to the LB (after IAP login pops up and I sign in). I presume this is because the Cloud Run service Auth configuration is set to 'Require Authentication' and according to Google Documentation it needs to be 'Allow Unauthenticated Invocations'. Unfortunately, according to an Organization policy, this is not possible.
However, I noticed I have another Cloud Run service (in another Organization) with basically the same setup (HTTPS LB and IAP enabled for the service), and here I can access the Service through the IAP even though the Cloud Run Service is set to 'Require Authentication'.
So there seems to be a way to have a Cloud Run Service with Authentication AND IAP, but I can't figure out how (or why it works for one service and not for the other one).
What could be the reason for that?
I have a setup with an ALB and a target group created by ECS, I'm using Fargate and created a build pipeline by following this article. My app is built with NET core, I have an Angular frontend. Got all this working, I'm able to deploy my code changes, but I'm a bit stuck with the following issue.
I'm using Cognito for authentication and a custom domain that I set for the hosted UI. It seems that, from the browser, when I try to hit an endpoint that is secured, I get a 504 Gateway error, which somehow is not doing the redirect to Cognito in the browser. All this works fine when I run the application on localhost.
When I looked at the logs, I noticed the following exception:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://cognito-idp.<region>.amazonaws.com/<region_and_a_code>/.well-known/openid-configuration'
Apparently, it can't establish a connection to Cognito. My containers are using only port 80, my target group instances are also using port 80, ALB uses HTTPS on 443 which directs the traffic to the target group, and for ALB port 80 I just redirect to 443.
I tried a few different things, like setting the authority value instead of the metadata address, tried using a BackChannelHttpHandler to execute the HTTPS call, tried updating the port mappings to allow communication on 443, but somehow it seems that it gets overridden by the task definition that I have created when I set up the build pipeline. The network mode in my task definition is now awsvpc, and if I try to set it to host, it will complain that I can't use it with Fargate.
What do I need to do to allow the HTTPS request from my Docker container instances to reach Cognito?
You are trying to set this up in a public ALB. This setup using a private NLB will work, might work with a private ALB as well. You can then set up vmc private links to get at the service's you need access too.
I have a service on Cloud Run (Service A) who is trying to call another service on Cloud Run (Service B). Both the services are in us-east1.
For Service B, Ingress is set to 'Allow internal traffic only' and Authentication is set to 'Allow unauthenticated invocations.
I created a Serverless VPC Connector in the same region as the services and set the IP address range to 10.8.0.0/28.
I then connected Service A to the connector mentioned above and set 'Route only requests to private IPs through the VPC connector'.
I seem to be getting a 403 when attempting to hit the service. Has anyone had this issue? If so, how did you solve this problem?
You need to set the egress to All, to route all the traffic to the serverless VPC connector.
Indeed, even if you set the service B to internal egress, the Cloud Run service is still exposed publicly, but an additional check is performed on the requests that come in to validate the traffic origin (comes from your VPC or not).
In your case, in the service A, with the private range only egress, you route only the traffic going to private IP, and it's not the case of the always-publicly-exposed "internal" service B.
I am guessing that the code 403 you are getting it from the cloud run service and that is a problem with the authentication, so to solve that error code you could follow this link, there you will find a detail explanation of how authenticated users for you services.
I was able to fix this issue. This must be used when you have to use authenticated user to access cloud run application
Accessing Authenticated Cloud Run applications using IAP
It means that your client is not authorized to invoke this service.
You can address this by taking one of the following actions:
If the service is meant to be invocable by anyone, update its IAM settings to make the service public.
If the service is meant to be invocable only by certain identities, make sure that you invoke it
Please find the link that might help in troubleshooting this error.
I am unable to access AWS Elasticsearch Kibana with a browser.
I have set up an Elasticsearch instance within my VPC exactly as described here;
https://aws.amazon.com/blogs/aws/amazon-elasticsearch-service-now-supports-vpc/
I used the default IAM access policy template which is basicaly all current IAM profiles (*)
My EC2 webapp (xenforo forum) is happily connected and chugging away.
I would like to access my elasticsearch domain kibana endpoint via browser from my home PC.
The security group I attached to the cluster configuration includes a rule to allow ALL TCP inbound from my home broadband fixed IP address.
I log into the AWS console, click the Kibana link from the elasticsearch domain overview and... nothing, times out.
I have read everything I can find on the matter. No joy - except perhaps I should be signing my https requests as well which seems crazy complicated and my understanding is that IP access should be configurable with security groups?
Can anyone clarify?
to access Kibana, it seems the only way is pass proper header with your requests to.
We solved it by using https://github.com/abutaha/aws-es-proxy - its not niciest, but works for us.
requires to have aws-cli installed
requires to do bit of setup, but works well afterwards
hope it helps
Hi There are many ways to access Kibana here are some of them that I found:-
Use an SSH tunnel. For information on how to do this :- https://aws.amazon.com/premiumsupport/knowledge-center/kibana-outside-vpc-ssh-elasticsearch
Advantages: Provides a secure connection over the SSH protocol. All connections use the SSH port.
Disadvantages: Requires client-side configuration and a proxy server.
Use an NGINX Proxy. For information on how to do this, please visit reference :- https://aws.amazon.com/premiumsupport/knowledge-center/kibana-outside-vpc-nginx-elasticsearch
Advantages: Setup is easier, because only server-side configuration is required. Uses standard HTTP (port 80) and HTTPS (port 443).
Disadvantages: Requires a proxy server. The security level of the connection depends on how the proxy server is configured.