search

GoogleCloudPlatform / iap-gcip-web-toolkit

Apache License 2.0
50 stars 24 forks source link

How to run authui-container in GKE #209

Open naresh-naga opened 1 year ago

naresh-naga commented 1 year ago

we use IAP with external IDP, we want to propagate IDP token so that legacy application can make use the IDP token. When we reached out google about this, we got response stating that we could host our own login app and in processUser we could get IDP token and store it in browser. To do that i though of making changes authui-container and host that in GKE. So is it possible authui-container can be deployed to GKE if so please point me to the doc.

rking-bennie commented 1 year ago

I have the exact same problem

prameshj commented 1 year ago

You could try using the https://github.com/GoogleCloudPlatform/iap-gcip-web-toolkit/blob/master/authui-container/deploy-container.sh script to push an image to container registry and use that image in your GKE pod yaml.

naresh-naga commented 1 year ago

@prameshj thanks for the direction, I published the docker to GCR and deployed it to GKE, getting bellow error on start of the pod.

Server started with version 1.0.0
/usr/src/app/dist/server/utils/http-server-request-handler.js:129
            error = new Error((jsonResponse &&
                    ^

Error: The caller does not have permission
    at AuthenticatedRequestHandler.getError (/usr/src/app/dist/server/utils/http-server-request-handler.js:129:21)
    at /usr/src/app/dist/server/utils/http-server-request-handler.js:99:42 {
  cloudCompliant: true,
  rawResponse: {
    error: {
      code: 403,
      message: 'The caller does not have permission',
      status: 'PERMISSION_DENIED'
    }
  },
  statusCode: 403
}

Node.js v19.9.0

Our GKE uses workload identity. The mapped service account has below permission.

roles/identitytoolkit.viewer
roles/iap.settingsAdmin
roles/compute.networkViewer

Are there any additional permission needed other than above listed?

prameshj commented 1 year ago

You likely need roles/storage.admin since the authui-container tries to read cloud storage buckets for saved state.

naresh-naga commented 1 year ago

@prameshj i was able to successfully deploy authui-container in GKE. in addition to role mentioned above we also need roles/compute.viewer . I am not sure how to override processUser method so that i can implement code to save IDP token to browser. Please provide some example with authui-container how to implement processUser handler.

naresh-naga commented 1 year ago

fyi, with GKE hosted authui-container i can successfully login with IAP -> IDP -> end app.