Hitting an error when trying to access resource protected by IAP [265184232]

Fixed

Bug

Status Update

No update yet.

Description

oc...@karma.plus

created issue #1

Jan 12, 2023 07:40AM

Problem you have encountered:
When trying to access a resource with IAP we are getting the following error: "We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now."

What you expected to happen:
Access via IAP.

Steps to reproduce:
Visit an admin panel by URL. Encounter error message.

Other information (workarounds you have tried, documentation consulted, etc):
Checked status tracker and open issues. No current information found. All other resources in our project seem to be unaffected. It's possible this is not related to IAP, but we only encounter the issue when accessing a resource protected by IAP. While trying to troubleshoot we found this incident report from 2017:

https://status.cloud.google.com/incident/bigquery/18026

Is anyone else having issues accessing IAP resources at this time? Or does anyone have some guidance around what might be causing this?

Comments

ka...@google.com <ka...@google.com> #2Jan 12, 2023 10:59AM

Assigned to gc...@google.com.

Thank you for the report, and sorry for any inconvenience. While reproducing the issue, one workaround I found is: -keeppackagenames com.example.customview.extra** (i.e., double asterisks, instead of single).

https://www.guardsquare.com/en/products/proguard/manual/usage#filters

R8 currently regards <package_filter> in that directive as <class_filter>. That's why single asterisk---a class name not containing the package separator---doesn't work for now, whereas double asterisks---matches a class name, possibly containing any number of package separators---works. The caveat is, use of, e.g., extra**, will keep all the sub packages as well. :( We'll prepare the fix soon.

jo...@exakthealth.com <jo...@exakthealth.com> #3Jan 12, 2023 12:32PM

Project: r8
Branch: master

commit a9a9e7d1231726094c6e16c2cef1bad887da3bba
Author: Jinseong Jeon <jsjeon@google.com>
Date: Tue Apr 09 11:49:28 2019

Reproduce

b/130135768

: keeppackagenames with asterisks

Bug: 130135768
Change-Id: I5ab1cdb5148a570a63bdd488358759bb33da700a

M src/test/java/com/android/tools/r8/TestShrinkerBuilder.java
A src/test/java/com/android/tools/r8/naming/KeepPackageNamesTest.java
A src/test/java/com/android/tools/r8/naming/keeppackagenames/Top.java
A src/test/java/com/android/tools/r8/naming/keeppackagenames/sub/SubClass.java

https://r8-review.googlesource.com/36860

ab...@jaxl.com <ab...@jaxl.com> #4Jan 12, 2023 02:52PM

Project: r8
Branch: master

commit 391e2992aee375adf46edbb5e7b098556c8604ed
Author: Søren Gjesse <sgjesse@google.com>
Date: Fri Apr 12 11:05:43 2019

New implementation of -keeppackagenames

This implementation collects the list of package names given for
-keeppackagenames and matches against that in the minifier.

The previous implementation created class matching rules to piggybag
on the existing matching.

Bug: 130135768
Change-Id: I5a341e145747a5dec8788a066a0c67d4e259ec77

M src/main/java/com/android/tools/r8/graph/DexType.java
M src/main/java/com/android/tools/r8/naming/ClassNameMinifier.java
M src/main/java/com/android/tools/r8/shaking/ProguardConfiguration.java
M src/main/java/com/android/tools/r8/shaking/ProguardConfigurationParser.java
D src/main/java/com/android/tools/r8/shaking/ProguardKeepPackageNamesRule.java
A src/main/java/com/android/tools/r8/shaking/ProguardPackageMatcher.java
A src/main/java/com/android/tools/r8/shaking/ProguardPackageNameList.java
M src/main/java/com/android/tools/r8/shaking/RootSetBuilder.java
M src/test/java/com/android/tools/r8/naming/KeepPackageNamesTest.java
M src/test/java/com/android/tools/r8/shaking/ProguardConfigurationParserTest.java
A src/test/java/com/android/tools/r8/shaking/ProguardPackageNameMatcherTest.java

https://r8-review.googlesource.com/36944

[Deleted User] <[Deleted User]> #5Jan 12, 2023 02:54PM

Project: r8
Branch: d8-1.4

commit b6ca9ee953e43aa029411bb4db030e4694180063
Author: Christoffer Quist Adamsen <christofferqa@google.com>
Date: Fri Apr 12 12:51:40 2019

Version 1.4.86

Cherry pick: New implementation of -keeppackagenames
CL:

https://r8-review.googlesource.com/c/r8/+/36944

Cherry pick: Reproduce

b/130135768

: keeppackagenames with asterisks
CL:

https://r8-review.googlesource.com/c/r8/+/36860

Bug: 130135768
Change-Id: I8a340afe4811ec3f8826956c99b94346f4c2c8b4

M src/main/java/com/android/tools/r8/Version.java
M src/main/java/com/android/tools/r8/graph/DexType.java
M src/main/java/com/android/tools/r8/naming/ClassNameMinifier.java
M src/main/java/com/android/tools/r8/shaking/ProguardConfiguration.java
M src/main/java/com/android/tools/r8/shaking/ProguardConfigurationParser.java
D src/main/java/com/android/tools/r8/shaking/ProguardKeepPackageNamesRule.java
A src/main/java/com/android/tools/r8/shaking/ProguardPackageMatcher.java
A src/main/java/com/android/tools/r8/shaking/ProguardPackageNameList.java
M src/main/java/com/android/tools/r8/shaking/RootSetBuilder.java
M src/test/java/com/android/tools/r8/TestShrinkerBuilder.java
A src/test/java/com/android/tools/r8/naming/KeepPackageNamesTest.java
A src/test/java/com/android/tools/r8/naming/keeppackagenames/Top.java
A src/test/java/com/android/tools/r8/naming/keeppackagenames/sub/SubClass.java
M src/test/java/com/android/tools/r8/shaking/ProguardConfigurationParserTest.java
A src/test/java/com/android/tools/r8/shaking/ProguardPackageNameMatcherTest.java

https://r8-review.googlesource.com/36959

[Deleted User] <[Deleted User]> #6Jan 12, 2023 02:59PM

My team first noticed this issue at 7:15pm EST yesterday, January 11th.
Our internal tools are unavailable as a result. Disabling IAP is not an option.

Please expedite this ticket.

ma...@funkemedien.de <ma...@funkemedien.de> #7Jan 12, 2023 03:52PM

Hello,
we noticed this issue at 1:23 pm today January 12th. We have the same problem. Disabeling IAP is not an option.

Please priorize this ticket.

da...@ovative.com <da...@ovative.com> #8Jan 12, 2023 07:30PM

Same issue, this is causing major issues for our production applications as nobody is able to access them.

to...@google.com <to...@google.com> #9Jan 12, 2023 08:10PM

Hi Everyone,

IAP for Cloud Run is a preview feature which is subject to breakage at any time and is not suited for production. The product team is aware of the breakage as it pertains to modes of GCLB that leverage Envoy proxy and a fix is in progress.

As for workarounds: customers can switch Global external HTTP(S) load balancer (classic) which during internal testing has proven to not be broken.

A couple things to keep in mind when using the above workaround. IAM members responsible for the request must have the Cloud Run Invoker & IAP-secured Web App User roles. Note that enabling of IAP and providing new roles to IAM members may take a few minutes to propagate, so ensure you wait the needed time before testing. Additionally, when making a request via a service account please make sure the audience is set to the Client ID value associated with your IAP (of the form PROJECT_NUMBER-RANDOMHASH.apps.googleusercontent.com). This client can be found by going to the IAP Cloud Console page clicking on the ..., then selecting "Go to OAuth configuration".

Message last modified on Jan 12, 2023 08:44PM

oc...@karma.plus <oc...@karma.plus> #10Jan 13, 2023 12:39AM

Few questions:

1) Can you please advise on a rough timeline for the fix, based on best current estimates?
2) Why does

status.cloud.google.com continue to show IAP has no issues? It would be very helpful if there was better notice of issues like this.
3) Preview disclaimer aside, given how widespread the impact for IAP users, is this being appropriately triaged with priority? The ticket still lists P2/S2.
4) Does the classic lb support gRPC without issue?

Thanks in advance.

[Deleted User] <[Deleted User]> #11Jan 13, 2023 08:48AM

Hi. Just to report that the issue affects also Classic Cloud Load balancer
In a situation where:
- There is a Classic Load Balancer with IAP enabled
- Pointing to a serverless backend Internal and Load Balancer only accessible CLoud Run (Allowing Unauthorized) containing a NGINX proxy server serving static content and proxying requests
- Which rewrites the request to another Cloud RUN Publicly available allowing unauthorized requests

The requests proxied to the last cloud run are being blocked.
Accessing directly the NGINx Cloud RUN URL OR using the load balancer as is without IAP, everything works properly.

Thanks

[Deleted User] <[Deleted User]> #12Jan 13, 2023 12:27PM

For those with an NGINX proxy issue, a workaround is to remove the JWT token header that causes to Block requests to Cloud RUN

location /api/ {
   proxy_set_header        X-Goog-Iap-Jwt-Assertion "";

   # proxy to the public cloud run instance
   proxy_pass https://myCloudRun-123456basd-ew.a.run.app/;
}

Hope that helps someone else

ma...@ml6.eu <ma...@ml6.eu> #13Jan 13, 2023 12:52PM

Thanks an...@ef.uk.com, it did help someone :)

I'm not working with Nginx, but I also removed the X-Goog-Iap-Jwt-Assertion header before proxying any requests to cloud run.
That fixes the error.

So in conclusion, the reverse-proxy will mindlessly forward the X-Goog-Iap headers. That causes underlying systems to behave incorrectly.

[Deleted User] <[Deleted User]> #14Jan 13, 2023 01:28PM

I am glad ma...@ml6.eu :)

the IAP headers are important if you need to authenticate them in the backend https://cloud.google.com/iap/docs/signed-headers-howto#:~:text=The%20JWT%20is%20in%20the,in%20case%20someone%20bypasses%20IAP.

it looks like the problem is that Cloud RUN internal load balancer tries to do "some validations" with that JWT token by default and it fails if something is proxying the original IAP request. If the token is missing then it doesn't validate and, therefore, block

jp...@mirandabosch.com <jp...@mirandabosch.com> #15Jan 13, 2023 05:23PM

We are affected with the same issue, our users can't loggedin to our application. Please raise the priority to resolve this issue.

[Deleted User] <[Deleted User]> #16Jan 13, 2023 07:27PM

lol so IAP for all of Cloud Run is broken, yet the status page says ALL GREEN ... and this issue is categorized P2 S2.

Cool.

to...@google.com <to...@google.com> #17Jan 13, 2023 07:34PM

An update: IAP for Cloud Run on GCLB Envoy and GCLB classic are now working.

The only remaining issue is that forwarding requests without stripping the x-goog-iap-jwt-assertion header will lead to a 403. Until a proper fix is released, we recommend customers to strip this header before forwarding requests.

Sorry for the inconvenience (IAP for Cloud Run is a Preview feature)

fi...@gmail.com <fi...@gmail.com> #18Jan 13, 2023 08:32PM

For those with an NGINX proxy issue, a workaround is to remove the JWT token header that causes to Block requests to Cloud RUN

Dropping the header with proxy_set_header fixed things for me #12, thank you! Good luck luck team!

[Deleted User] <[Deleted User]> #19Jan 18, 2023 01:34PM

For those using a reverse proxy to reach Cloud Run services with `Require authentication` enabled:
we solved the issue by carrying out these actions on each request to a Cloud Run service:
- removing the `x-goog-iap-jwt-assertion` header
- fetching an ID token (of the service account that handles the reverse proxy) with the target Cloud Run's URL as audience
- passing a new `Authorization` header with as value `Bearer ${IdToken}`
Thanks an...@ef.uk.com for initial tip!

ni...@google.com <ni...@google.com> #20Jan 23, 2023 05:30PM

Response SLO ping

ma...@quickplay.com <ma...@quickplay.com> #21Jan 23, 2023 05:58PM

when can we expect an update on this issue?

Message last modified on Jan 23, 2023 05:59PM

to...@google.com <to...@google.com> #22Jan 23, 2023 08:47PM

Marked as fixed.

Traffic with the x-goog-iap-jwt-assertion header will no longer lead to a 403. We expect customers who are forwarding the header to stop receiving 403s.

Thanks all for your patience as we worked to resolve this issue.

[Deleted User] <[Deleted User]> #23Jan 24, 2023 10:08AM

#22 Trying that and forwarding all headers, I can see that the cloud run now doesn't receive the x-goog-iap-jwt-assertion header. Is it being removed automatically now? If so, is there a way to validate the secure the IAP Backend as described here ?

Thanks

to...@google.com <to...@google.com> #24Jan 26, 2023 10:06PM

Are you using an Envoy based GCLB? If so, the x-goog-iap-jwt-assertion header being stripped has been and continues to be a known issue documented in https://cloud.google.com/iap/docs/enabling-cloud-run#known_limitations

[Deleted User] <[Deleted User]> #25Jan 27, 2023 09:33AM

we are using a classic load balancer sending IAP request to Cloud. The scenario is the following:

we used to see the token forwarded by nginx to Cloud Run as header in the Cloud Run request before the issue and validated as documented here
we modify our proxy to strip the header because of the issue
after the issue has been fixed we removed the stripping of the header as it was originally
x-goog-iap-jwt-assertion Header still not coming to the final cloud run

hope that helps Thanks

to...@google.com <to...@google.com> #26Mar 2, 2023 02:07AM

I have set up a test project that routes a request through a classic GCLB with IAP enabled and a Cloud Run backend and I was able to see the x-goog-iap-jwt-assertion reaching my Cloud Run application.

I suggest looking into your application to see if there may be somewhere else you are stripping this header. If you still have trouble I encourage you to open a GCP support case via the Cloud Console.