This article contains frequently asked questions about Identity-Aware Proxy (IAP).
What apps can I secure with IAP?
IAP can be used with:
- App Engine standard environment and App Engine flexible environment apps.
- Compute Engine instances with HTTP(S) load balancing backend services.
- Google Kubernetes Engine containers.
- Cloud Run apps with HTTP(S) load balancing backend services.
Currently, IAP cannot be used with Cloud CDN.
Why is there a # at the end of my URL after signing in to my app?
In some browsers and under certain conditions, a #
may be appended to the
URL after authentication. This is normal and won't cause issues when logging in.
Why are my requests failing and returning a 405 Method Not Allowed status code?
This can be caused by not attaching cookies to your requests. By default, JavaScript methods don't attach cookies to requests.
The way you include cookies varies between request methods. For example,
requests sent with an
XMLHttpRequest
object
need the withCredentials
property set to true
, while requests sent with the
Fetch API
need the credentials
option set to include
or same-origin
.
For information on handling errors that only occur after some time has passed, see Managing IAP sessions.
Why am I receiving an HTTP 401 Unauthorized status code instead of an HTTP 302 Redirect?
IAP responds with a 302 Redirect
status code when a client
is configured to handle redirects. To indicate that your client can handle
redirects, ensure that HTTP Accept="text/html,*/*"
is in the header of
requests.
Why are POST requests not triggering redirects?
To trigger redirects, ensure that calls to IAP aren't
POST requests. Browsers don't redirect as a response to POST requests. Because
of this, IAP responds with a 401 Unauthorized
status code
instead of a 302 Redirect
.
If you need IAP to serve POST requests, ensure that either the ID token or valid cookies are being passed in the header of the request.
Include the ID token in an Authorization: Bearer
header to make an
authenticated request to the IAP-secured resource.
Obtain valid cookies by refreshing the session.
Can I use IAP if I have disabled the API?
Yes, access to resources secured with IAP works with the API disabled, but you won't be able to make changes to IAM permissions.
How can I restrict users with the Owner role from using IAP for TCP?
First, avoid using the Owner (roles/owner
) role as much as possible. The Owner
role grants wide permissions across Google Cloud. Assigning more granular
roles and permissions can increase the security of your project. To learn more,
see the IAM best practices.
If you cannot reduce usage of the Owner role, you can block IAP for TCP using Firewall rules.
What domain does IAP for TCP use?
IAP uses the following domains, which are owned by Google:
tunnel.cloudproxy.app
mtls.tunnel.cloudproxy.app
if certificate-based access is enabled.
If you're connecting through a proxy server or firewall, make sure that they allow traffic to these domains, and that they don't block the use of WebSocket connections.
If you block traffic to these domains you will be unable to use IAP for TCP. You might receive one of several error messages.
If you are using gcloud
, the error message might be
Error while connecting [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
If you are using SSH from the browser the error message is
Cloud Identity-Aware Proxy Failed
There is no associated error code.
Why am I receiving the error Server Error
?
If you receive the following error message, your firewall might be disallowing the IPs 130.211.0.0/22
and 35.191.0.0/16
:
Error: Server Error
The server encountered a temporary error and could not complete your request.
Please try again in 30 seconds.
If the load balancer IPs 130.211.0.0/22
and 35.191.0.0/16
cannot reach your backend, your applications might not be accessible. For more information, see Setting up an external HTTPS load balancer.
If you are using IAP for TCP to connect to a specific VM, the VM must accept connections from addresses in the 35.235.240.0/20
range.
Why am I receiving intermittent internal server errors?
An error message in the following format indicates an internal failure:
An internal server error occurred while authorizing your request. Error code X
Internal errors with error codes 1
, 30
, 62
, 63
, 64
, or 703
indicate
backend failures. A low rate of these backend errors often indicates a transient
issue. Clients should retry the request using exponential backoff.
How can I address quota exceeded errors (Error code 429)?
Error code 429 indicates that the traffic to the application is being throttled by IAP. IAP enforces a limit of 360,000 requests per minute per project. If there are multiple applications hosted in a single project, the quotas are applied to the total requests received by all of the IAP-protected applications in the project.
If you are experiencing quota exceeded errors from IAP, here are a few techniques you can apply to alleviate the problem. * Load testing in production instances is discouraged. If the increased load is because of load testing, we recommended that you find alternative network paths to your application that does not invoke IAP.
If your application is receiving high service-to-service traffic, we recommend that you implement exponential back-off on the client side to handle 429 errors gracefully.
If there are multiple high traffic applications within the same project, consider moving some of the applications to a different project.
If the application is built as an API instead of a web application, consider using API gateway solutions like Apigee.
If the reason for high traffic is organic growth, contact Google Cloud Support with a request for quota limit increase.
Error codes
The following table lists common error codes and messages that return when configuring and using IAP.
Error code or message | Description | Troubleshooting |
---|---|---|
Error code 7 | Your OAuth client ID or secret values are empty. | Verify that your client ID and secret are correctly configured for your app by viewing the Credentials page. If your client ID and secret appear to be configured correctly, use the GET method to see the current state and PATCH method to reset the client ID and secret: • Compute Engine API: GET , PATCH • App Engine API: GET , PATCH |
Error code 9 | An OAuth redirect didn't complete. | This is an internal error and has been logged for review. |
Error code 9 (With path rewrite rules) | An OAuth redirect didn't complete. | Google Cloud Load Balancer path rewrite rules interferes with IAP's ability to successfully complete an OAuth flow. If you host multiple backends behind Google Cloud load balancer and use path rewrite rules, ensure that both the backends are using the same OAuth client IDs for IAP. You can change an OAuth client ID for a backend service by using the gcloud compute backend-services update command. |
Error code 11 | Your OAuth client ID is incorrectly configured. | Verify that your client ID and secret are correctly configured for your app by viewing the Credentials page. If your client ID and secret appear to be configured correctly, use the GET method to see the current state and PATCH method to reset the client ID and secret: • Compute Engine API: GET , PATCH • App Engine API: GET , PATCH |
Error code 13 | Your OpenID Connect (OIDC) token is invalid. | Ensure that the client ID configured for IAP isn't deleted by viewing the Credentials page. |
Error code 51 | Your browser does not support connection pooling. | A current, up to date browser can handle connection pooling errors. Ensure that end users are using a current and up to date browser. For more information, see Restrict resource access to specific domains. |
Error code 52 | The host name provided does not match the SSL certificate on the server. | The system administrator might need to update the SSL certificate. For more information see, Restrict resource access to specific domains. |
Error code 53 | The host name doesn't match the domains that are allowed by the IAP administrator. | The administrator must update the list of allowed domains to include your host name. For more information see, Restrict resource access to specific domains. |
Error code 429 | Your project exceeds the per-minute threshold for requests. | IAP projects are limited to a maximum of 360,000 requests per minute. If you encounter this error, reduce the volume of requests for your project. You can contact Google Cloud Support if you have additional questions. |
Error code 700, 701 | Your workforce pool configured has no provider (700) or more than one provider (701). | IAP requires exactly one provider in a workforce pool for using Workforce Identity Federation. See Limitations when working with workforce pools. |
Error code 705 | Your OAuth client ID for using IAP with Workforce Identity Federation is empty. | Verify that the Create an OAuth client ID and secret and Update the IAP settings steps are followed. |
Error code 708 | Your workforce pool either doesn't exist or the name is not in the correct format. | Ensure that your workforce pool exists and the name is in the following format: locations/global/workforcePools/WORKFORCE_POOL_ID . |
Error code 4003 | This might mean the instance isn't listening on the port you're trying to connect to or the firewall is closed. Either of those issues could also cause the start-up connectivity test to the VM instance to fail. | Ensure that the listening process on the VM is running and listening on the correct port. Also, verify that your Google Cloud firewall is configured correctly and open on the port you're connecting to. |
Error code 4010 | A connection was established but closed by the destination instance. This usually indicates an issue on the instance or the program listening on the destination port. | Reset the instance. If you are using SSH to connect, check the auth.log log for unexpected errors. The default location for the log file is /var/log/ . If you can't access the logs using SSH, try using the serial console or detaching and reattaching the disk to a new VM to view the logs. Attach the logs when contacting customer support. |
Error code 4033 | Either you don't have permission to access the instance, the instance doesn't exist, or the instance is stopped. | Ensure that you have the IAP-secured Tunnel User IAM role applied on the resource you're connecting to by viewing the Identity-Aware Proxy page. |
Error code 4047 | Either the instance doesn't exist, or the instance is stopped. | Ensure that the VM is powered on and has completed its startup. |
If you're unable to resolve your issue, or you don't see your error listed on
this page, then contact Cloud Customer Care. Provide the description of the error
and the response you get from a GET
call to the API. Ensure that you remove
your client secret from the response.