0

I have a Google Cloud App Engine app that functions correctly when either I allow unauthenticated AllUsers access or turn on IAM for controlling access in Identity Aware Proxy. However when I follow the instructions on this page https://cloud.google.com/iap/docs/cloud-run-sign-in to enable Cloud Run Hosted sign-in with external identities and attempt to access either the login page or the Google Cloud Run hosted sign-in page, I receive the following error in the browser.

"Could not fetch URI /computeMetadata/v1/instance/service-accounts/default/token?scopes=https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/identitytoolkit"

For context, the Google Cloud Run service hosting the user sign-in is set to allow all Unauthenticated. It should re-direct to the Google App Engine web app. I think this is related to permissions or redirects, but I am at a loss as to how to fix. Any thoughts? Thanks!

I attempted to fix by re-deploying the Cloud Run Service, switching IAP on and off, switching between IAM and external identities, but to no success.

Thanks @John Hanley, I discovered that one my compute engine service account was disabled for some reason within the project. Re-enabling solved the problem partially. I'll spend more time matrix out the permissions and re-directs to make sure they are aligned.

I originally thought I completely answered my own question and solved my problem. Unfortunately, I only solved one of the problems with my implementation of the external identities authentication method.

Description of the other problem: I enabled email/password and Google as providers, but when I click on the the option to authenticate with Google, I receive the following text in the browser: "The requested action is invalid."

At the Console in Dev Tools I get the following error:

GET https://www.googleapis.com/identitytoolkit/v3/relyingparty/getProjectConfig?key=*mykey*&cb=1599165379363 403

The following url is displayed in the URL bar:

https://.firebaseapp.com/__/auth/handler?apiKey=mykey&appName=%5BDEFAULT%5D-firebaseui-temp&authType=signInViaRedirect&providerId=google.com&customParameters=%7B%22hl%22%3A%22en%22%7D&scopes=profile&redirectUrl=https%3A%2F%2Fiap-gcip-hosted-ui-app-engine-app-myserver-uc.a.run.app%2F%3FapiKey%3Dmykey**&v=7.16.0&fw=FirebaseUI-web

mykey and myserver were removed for this post and is not the actual values.

Email/password sign-in works, but not the Google sign-in. What am I missing here?

Jeff
  • 21
  • 4
  • Edit your question with details on the service account assigned to your Cloud Run service. What roles are assigned? The metadata endpoint that you are calling (default/token) returns an OAuth2 Access Token. You must grant the service account assigned to Cloud Run a role that grants permission (compute.projects.get OR compute.instances.get). Also, are you including the HTTP header `Metadata-Flavor: Google` when calling that endpoint? Edit your question with more details and not as comments. – John Hanley Aug 30 '20 at 17:24
  • Does it work with Google account in IAP? – guillaume blaquiere Aug 30 '20 at 18:22
  • Yes, the google account works in IAP. – Jeff Sep 04 '20 at 01:28

0 Answers0