Using Google IAP through custom domain on App Engine

1
votes

Enabling a custom domain on an App Engine service is now a breeze, so is enabling IAP (Google Identity-Aware Proxy) ???? But, I can't figure out how to get IAP and my custom domain to work together!

  1. both https://myservice-dot-myapplication.appspot.com and https://myservice.mydomain.com are triggering the IAP consent screen where I can login through an appropriate user (as configured in IAP Role/Member)
  2. https://myservice-dot-myapplication.appspot.com will let me see my app after login
  3. https://myservice.mydomain.com will consistently deny me access with the You don't have access message, just like if I log in through a Gmail account which is not authorized by the IAP configuration

If I disable IAP, I can go through both domains (without authentication of course, which is not desired) and confirm that the custom domain is indeed working with an appropriate and auto-generated certificate. It feels like I missed an option in IAP to configure an alias domain or something like that, but I can't find that option.

What did I miss? Or is it simply not possible to get IAP to work with a custom domain at the moment? Thanks for your help! ❤️

NB: The Domain Names Have Been Changed to Protect the Innocent.

2
google-app-enginegoogle-cloud-platformgoogle-iapidentity-aware-proxy
IAP displays a list of domain names that you can enable when you turn on IAP. What is displayed?John Hanley
Correct! Only the .appspot.com (non-custom) domain is in the "Published" column though :-/Clorichel
Hm, this should all actually just work. We removed the need to specify the domain when turning on IAP back in July: twitter.com/mattsachs/status/1146465441495171072 . Let me see if I can reproduce this when I get back to my desk. Or if you can email me send me your domain names through here or at msachs -AT- google.com I can take a quick look. --Matthew, Google IAP engineeringMatthew Sachs

2 Answers

2
votes

If you are using automatic certificate management, it's likely that https://myservice.mydomain.com isn't actually routing to the service you expect.

Custom domain mappings always route to the default service by default. A wildcard domain can automatically route to other versions or services when they match the "*" part of the mapping (see https://cloud.google.com/appengine/docs/standard/nodejs/mapping-custom-domains#wildcard_mappings). Unfortunately, automatic certificate management is not yet supported for wildcard domains.

As long as you don't have too many services to route to, there is a way to use managed certificates and still route to multiple services:

2
votes

Edit: The App Engine team suspects that https://stackoverflow.com/a/60140415/7764352 is actually what's going on here, and that custom domains aren't affected by this IAP issue.

There appears to be an issue where App Engine doesn't pass the service identifier to IAP in some circumstances. It looks like at least some uses of custom domains can trigger that. As a workaround, you can grant access to the entire app instead of to a specific service. I'll let the team know that we've found another case that triggers this, I've previously only seen it with an App Engine app behind IAP subscribing to a Cloud Pub/Sub topic.

(I don't know whether it's all uses of Custom Domains that run into this bug or if there's something else going on here. App Engine Standard v. Flexible environment probably also makes a difference.)