Error replicating Cloud Run Explore Use Case 5: IAP for Cloud Run app is not set up correctly

[ruanspies]

I have replicated the example put forward in the Cloud Run Blueprint Use Case 5.

• I have successfully applied the Terraform in my cloud environment;
• Can see all of the infrastructure that has been configured;
• The custom domain is available; and
• Redirects me to the Google login page

However, after logging in, I see the following text in my browser:

IAP for Cloud Run app is not set up correctly.Please follow the instructions to rectify IAP and Cloud Run set up: https://cloud.google.com/iap/docs/enabling-cloud-run

Another strange thing that I saw was that the OAuth consent screen did not contain any of the custom information that I specified (App name, support email etc.), but simply says Choose an account to continue to iap.googleapis.com.

[juliocc]

@juliodiez can you take a look?

[juliodiez]

I'll do. For the first error I have some clue...

[ruanspies]

I have tried tweaking some of the underlying Terraform but haven't had any success.

[juliodiez]

For the first error, "IAP for Cloud Run app is not set up correctly", I guess you modified who can invoke Cloud Run:

iam = {
    "roles/run.invoker" = ["allUsers"]
}

and replaced 'allUsers' with another value. If that's the case, Cloud Run + IAP didn't support that... until this week! Now I'm adding support for it in the terraform code, stay tuned.

Regarding the OAuth screen, not sure and I haven't taken a look yet. Only thing to mention is that the OAuth brand can only be created once and not updated nor deleted (and only "Organization Internal" brands can be created via API), so maybe it was already created for your project?

[ruanspies]

Thanks for the response!

I have checked all of the terraform and can confirm that roles/run.invoker is set to allUsers.

I further adjusted the terraform to use the google_cloud_run_service_iam_member but still did not see any change. The "IAP for Cloud Run app is not set up correctly" error still persists.