What applications can be secured with Identity-Aware Proxy (IAP)?
IAP can be used with:
- App Engine standard environment and App Engine flexible environment applications.
- Compute Engine instances with HTTP(S) load balancing backend services.
- Google Kubernetes Engine containers
Currently, IAP cannot be used with Cloud CDN.
Why is there a
# at the end of my URL after signing in to my application?
In some browsers and under certain conditions, a
# may be appended to the
URL after authentication. This is normal and won't cause issues when logging in.
Why was the
#... fragment identifier at the end of my URL removed?
As a security measure, this part of a URL is removed during the login process. After logging in, revisiting your URL will work as expected.
Why are my requests failing and returning a 405 error?
The way you include cookies varies between request methods. For example, requests sent with an
XMLHttpRequest object need the
withCredentials property set to
true, while requests sent with the Fetch API need the
credentials option set to
same-origin. If the errors occur only after a certain amount of time has passed (for example, after 1 hour), see Managing Cloud IAP sessions for information about sessions.
Why am I receiving an HTTP 401 - Unauthorized error instead of an HTTP 302 - Redirect response?
IAP responds with a 302 - Redirect response when a client
is configured to handle redirects. To indicate that your client can handle redirects,
HTTP Accept="text/html,*/*" is in the header of
Why are POST requests not triggering redirects?
To trigger redirects, ensure that calls to IAP aren't POST requests. Browsers don't redirect as a response to POST requests. Because of this, IAP responds with a 401 - Unauthorized error instead of a 302 - Redirect response.
If you need IAP to serve POST requests, ensure that either the ID token or valid cookies are being passed in the header of the request.
Include the ID token in an
Authorization: Bearer header to make an
authenticated request to the IAP-secured resource.
Obtain valid cookies by refreshing the session.
IAP expects the following cookie prefixes:
The following table lists common error codes and messages that return when configuring and using IAP.
|Error code or message||Description||Troubleshooting|
|Error Code 7||Your OAuth client ID or secret values are empty.||Verify that your client ID and secret are correctly configured for your app by viewing the Credentials page. If your client ID and secret appear to be configured correctly, use the
|Error Code 11||Your OAuth client ID is incorrectly configured.||Verify that your client ID and secret are correctly configured for your app by viewing the Credentials page. If your client ID and secret appear to be configured correctly, use the
|Error Code 13||Your OpenID Connect (OIDC) token is invalid.||Ensure that the client ID configured for IAP isn't deleted by viewing the Credentials page.|
|Error Code 4003||This might mean the instance isn't listening on the port you're trying to connect to or the firewall is closed.||Ensure that the listening process on the VM is running and listening on the correct port. Also, verify that your Google Cloud firewall is configured correctly and open on the port you're connecting to.|
|Error Code 4033||Either you don't have permission to access the instance, the instance doesn't exist, or the instance is stopped.||Ensure that you have the IAP-secured Tunnel User Cloud IAM role applied on the resource you're connecting to by viewing the Identity-Aware Proxy page.|
If you're unable to resolve your issue, please contact customer support with
the description of your error and the response you get from a
GET call to the
API. You can remove your client secret from the response.