India & USA Collebration Eduction Sector Space Sector Big Data Technology Blockchain Technology Artificial Inteligence Space Weapons & Data Center Security
Everything worked out great. Only problem is, my users usually on their personal google account. After enable internal only, they will be blocked and see org_internal error screen (which is expected), but they don't have option to switch accounts. Is there a way to include a button in the consent screen to allow user to switch accounts?
You bring up a good point. I talked with the team, they appreciate the input, and they will think about how to address it. Thank you for bringing this up!
Very nice explanation! One Q: Around the 9:00 mark when creating the oauth config you mentioned not needing any additional scopes. Can you point to the docs or an example of if you wanted to have an application using IAP and access GCS or other google cloud resources on behalf of the user (say to prompt a user for a source of data and let them browse their gcs buckets ) - how does the app take its authenticated user and parlay that into a google user id token to access downstream services?
No, IAP can only be used in front of App Engine, Cloud Run, Compute Engine, GKE, or on-prem systems. You could of course put a simple application on one of those platforms in front of BigQuery and authenticate with IAP. Or you could give individual users access to BigQuery directly in your project.
Nice one Martin. Please look at making future videos with infra automation along with Console based set up as real world use cases are mostly using these
This is a great idea, I'd love to see that too. Like a terraform module or something that takes in parameters such as principals, domain names and so forth.
@@jk.g This is a great idea. We choose to mostly show the Cloud Console in these videos, because it's more visual. You can only watch so much white text on a black background before it all starts to look the same. But we agree; more Terraform and infrastructure-as-code content would be useful. I'm adding it to the list of future episodes!
Hello, I did everything the same as was mentioned in this video. But getting error from origin has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. After refresh it's gone but after clearing cookies still exist. Could some one help with it?
The load balancer makes routing decisions based on what's in the URL. If your entry page requires a log in, it could then examine who the user is and redirect the user to a URL that leads to the right Cloud Run application. That Cloud Run app would also need to verify the user.
@@TheMomander Thanks for the reply! Not sure if I you already answered my question or not exactly. But. What I'm interested in knowing is can 1 single load balancer be used to route many users to different Cloud Run apps? Instead of an individual load balancer per Cloud Run app. e.g. "Dave" logs in via IAP, Load Balancer sees who logged in and routes Dave to "Daves Dashboard" on Cloud Run. Also then "Jenny" logs in via IAP, Load Balancer sees who logged in and routes Jenny to "Jennys Dashboard" on Cloud Run. Dave and Jenny have separate Cloud Run app's. Does this seem doable?
@@John845 Yes, one load balancer can direct traffic to multiple Cloud Run services, based on the URL. A single load balancer can also direct traffic to multiple Cloud Functions, App Engine apps, virtual machines, or Kubernetes clusters.
@@TheMomander I watched the full video but haven't gone through the full step by step myself. But with the Load Balancer that's created in this video, would it be easy to modify it's default single use (1 Cloud Run app) and make it for multiple Cloud Run services based on the URL as you mention?
@@John845 There is a document titled "Set up a global external HTTP(S) load balancer (classic) with Cloud Run, App Engine, or Cloud Functions" that describes who to do it. Because the load balancer has already been create, you can skip ahead to the section named "Create the load balancer". Within that section, skip to the sub-section named "Backend configuration" and start there. Best of luck!
I would like to verify my users on my website, hosted outside of Google, and then simply send a bearer token with them to my Cloud run service (in other words, google would not be involved in authenticating my users). is there a setting on Cloud run which permits access with only a bearer token?
That's an interesting use case. For a custom setup like that I *think* you'd need custom code. Your request handler code in Cloud Run would look for the bearer token in the request and decode it. If the token isn't there or can't be decoded, your handler would return status code 403. If the token is fine, your code would continue processing the request. You would not use IAP and you would need to open your Cloud Run service to unauthenticated access. In other words, your code would handle your custom security, instead of Google doing it. Hope this helps!
@@TheMomanderthanks for sharing your valuable insights. Just curious to know more about backend cloud run service hosted behind API Gateway with similar bearer token authorisation use case.
Hi, I followed everything mentionned in this tutorial but when I want to access my Web App, I only get the "Forbidden" response... Which is normal since I'm never invited to authenticate, is there something I am missing ? :/
It's hard to tell without being there with you. Did you set up a load balancer, assign your custom domain name to it, and enter that domain name in your browser?
@@TheMomander I did set up a load balancer but can't reach my app when using the IP generated by Google. I tried testing in local in the mean time but no login page, is it because the login page only triggers when everything is setup on the Cloud or is there additionnal code that I'm missing for the Google Sign In ?
It's hard to know what is going wrong in your project without a more detailed description. But it could be that you didn't set up the load balancer, see 6:08 in the video. I have run into cases before where a developer forgot to do that part.
You do not have to segregate every service. I'm pretty sure you could also introduce Apigee in front of your services too, which would allow one load balancer for all your service traffic in a particular region.
@@KevinBoutin Great idea ! Another piece of heavy software in this lightweight serverless adventure. Sorry but this doesn’t make sens at all. Additionally, this video doesn’t shown at all how complicated it this to setup Load Balancer… The only reason to use a load balancer is not the load balance but to have a external ip for the IAP…
@@nicolas00865 The load balancer also lets you put a custom domain in front of your Cloud Run service, with HTTPS termination. It's not too hard to set up. Just fill out the form shown at 6:15 in the video. If you want a serverless option you can put Firebase Hosting in front of your Cloud Run service. There is no monthly fixed cost with that approach, but it won't let you use IAP.
Thank you for comment. I watch regularly your content to get some inspiration on GCP architecture, although I may disagree on this one, most of your videos are really helpful. For the LB, I'm fully aware of what it can archive. Cloudrun support a custom domain by default without LB (only in some countries) but does not have a fixed IP. Here, this IAP design with LB, is just to have this fixed IP, right? It would be a lot simpler if we could connect IAP to Cloudrun, without the need of a LB in the middle. As for the Firebase Hosting, I'm not familiar with the product, thank you for the suggestion, I'll check if this makes more sense.
Subscribe to Google Cloud Tech → goo.gle/GoogleCloudTech
India & USA Collebration Eduction Sector Space Sector Big Data Technology Blockchain Technology Artificial Inteligence Space Weapons & Data Center Security
IAP is a game changer. I wish other cloud providers would take note and do something similar! Well done Google!
Happy to hear you find it useful!
IAP is very powerful. We used to utilize a custom VPN for this kind of access.
Everything worked out great. Only problem is, my users usually on their personal google account. After enable internal only, they will be blocked and see org_internal error screen (which is expected), but they don't have option to switch accounts. Is there a way to include a button in the consent screen to allow user to switch accounts?
You bring up a good point. I talked with the team, they appreciate the input, and they will think about how to address it. Thank you for bringing this up!
I have multiple App Engine Services.... It looks like I can turn on IAP for the whole app engine but not for individual services.
Very nice explanation!
One Q: Around the 9:00 mark when creating the oauth config you mentioned not needing any additional scopes. Can you point to the docs or an example of if you wanted to have an application using IAP and access GCS or other google cloud resources on behalf of the user (say to prompt a user for a source of data and let them browse their gcs buckets ) - how does the app take its authenticated user and parlay that into a google user id token to access downstream services?
This was nice explained. I love GCR. Anyone know of video on how to use their sidecar feature? Multiple containers in one service
Can't change OAuth screen to internal once it's been created. I had an old OAuth consent screen and cannot edit it or remove it.
Hi Can I use IAP to access big query?
No, IAP can only be used in front of App Engine, Cloud Run, Compute Engine, GKE, or on-prem systems. You could of course put a simple application on one of those platforms in front of BigQuery and authenticate with IAP. Or you could give individual users access to BigQuery directly in your project.
Nice one Martin. Please look at making future videos with infra automation along with Console based set up as real world use cases are mostly using these
This is a great idea, I'd love to see that too. Like a terraform module or something that takes in parameters such as principals, domain names and so forth.
@@jk.g This is a great idea. We choose to mostly show the Cloud Console in these videos, because it's more visual. You can only watch so much white text on a black background before it all starts to look the same. But we agree; more Terraform and infrastructure-as-code content would be useful. I'm adding it to the list of future episodes!
Hello, I did everything the same as was mentioned in this video. But getting error from origin has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. After refresh it's gone but after clearing cookies still exist. Could some one help with it?
Does this setup facilitate IAP validating a user, then based off that users credentials the Load Balancer routes them to their specific Cloud Run app?
The load balancer makes routing decisions based on what's in the URL. If your entry page requires a log in, it could then examine who the user is and redirect the user to a URL that leads to the right Cloud Run application. That Cloud Run app would also need to verify the user.
@@TheMomander Thanks for the reply!
Not sure if I you already answered my question or not exactly. But.
What I'm interested in knowing is can 1 single load balancer be used to route many users to different Cloud Run apps? Instead of an individual load balancer per Cloud Run app.
e.g.
"Dave" logs in via IAP, Load Balancer sees who logged in and routes Dave to "Daves Dashboard" on Cloud Run. Also then "Jenny" logs in via IAP, Load Balancer sees who logged in and routes Jenny to "Jennys Dashboard" on Cloud Run. Dave and Jenny have separate Cloud Run app's.
Does this seem doable?
@@John845 Yes, one load balancer can direct traffic to multiple Cloud Run services, based on the URL. A single load balancer can also direct traffic to multiple Cloud Functions, App Engine apps, virtual machines, or Kubernetes clusters.
@@TheMomander I watched the full video but haven't gone through the full step by step myself. But with the Load Balancer that's created in this video, would it be easy to modify it's default single use (1 Cloud Run app) and make it for multiple Cloud Run services based on the URL as you mention?
@@John845 There is a document titled "Set up a global external HTTP(S) load balancer (classic) with Cloud Run, App Engine, or Cloud Functions" that describes who to do it. Because the load balancer has already been create, you can skip ahead to the section named "Create the load balancer". Within that section, skip to the sub-section named "Backend configuration" and start there. Best of luck!
I would like to verify my users on my website, hosted outside of Google, and then simply send a bearer token with them to my Cloud run service (in other words, google would not be involved in authenticating my users). is there a setting on Cloud run which permits access with only a bearer token?
That's an interesting use case. For a custom setup like that I *think* you'd need custom code. Your request handler code in Cloud Run would look for the bearer token in the request and decode it. If the token isn't there or can't be decoded, your handler would return status code 403. If the token is fine, your code would continue processing the request. You would not use IAP and you would need to open your Cloud Run service to unauthenticated access. In other words, your code would handle your custom security, instead of Google doing it.
Hope this helps!
@@TheMomanderthanks for sharing your valuable insights. Just curious to know more about backend cloud run service hosted behind API Gateway with similar bearer token authorisation use case.
Hi, I followed everything mentionned in this tutorial but when I want to access my Web App, I only get the "Forbidden" response... Which is normal since I'm never invited to authenticate, is there something I am missing ? :/
It's hard to tell without being there with you. Did you set up a load balancer, assign your custom domain name to it, and enter that domain name in your browser?
@@TheMomander I did set up a load balancer but can't reach my app when using the IP generated by Google.
I tried testing in local in the mean time but no login page, is it because the login page only triggers when everything is setup on the Cloud or is there additionnal code that I'm missing for the Google Sign In ?
@@MartinTesson The login page will only be triggered when the application runs in the cloud.
I am not able to see my cloud run apps under IAP
It's hard to know what is going wrong in your project without a more detailed description. But it could be that you didn't set up the load balancer, see 6:08 in the video. I have run into cases before where a developer forgot to do that part.
I cannot stand these "fun kid friendly" coding tutorials. Just get to the point and leave the fluff away
Advertising a Global Load Balancer for each internal service. This is insane ! Is google paying for the bill?
You do not have to segregate every service. I'm pretty sure you could also introduce Apigee in front of your services too, which would allow one load balancer for all your service traffic in a particular region.
@@KevinBoutin Great idea ! Another piece of heavy software in this lightweight serverless adventure. Sorry but this doesn’t make sens at all. Additionally, this video doesn’t shown at all how complicated it this to setup Load Balancer…
The only reason to use a load balancer is not the load balance but to have a external ip for the IAP…
@@nicolas00865 The load balancer also lets you put a custom domain in front of your Cloud Run service, with HTTPS termination. It's not too hard to set up. Just fill out the form shown at 6:15 in the video.
If you want a serverless option you can put Firebase Hosting in front of your Cloud Run service. There is no monthly fixed cost with that approach, but it won't let you use IAP.
Thank you for comment. I watch regularly your content to get some inspiration on GCP architecture, although I may disagree on this one, most of your videos are really helpful.
For the LB, I'm fully aware of what it can archive. Cloudrun support a custom domain by default without LB (only in some countries) but does not have a fixed IP. Here, this IAP design with LB, is just to have this fixed IP, right? It would be a lot simpler if we could connect IAP to Cloudrun, without the need of a LB in the middle.
As for the Firebase Hosting, I'm not familiar with the product, thank you for the suggestion, I'll check if this makes more sense.
@googlecloudruntech I cannot see cloud run in the IAP section
When that happens it's usually because the load balancer hasn't been set up. See timestamp 6:18 in the video for how to do that.
This is very cool, however I found the video to be very patronising