jpassing
commented
3 months ago According to this document, IAP is only supported for ALBs in global and classic mode, and I couldn't find anything that would indicate that this isn't correct anymore.
Would it be possible to switch to a classic or global ALB?
I'm deploying the jit-access app with IaC, leveraging KCC and Config Sync for an automated CI/CD pipeline. I have the app up and running with no issues using a GXLB, but, when I try switching to a RXLB, I get an IAP assertion error when I try to access the app.
After a bit of digging around I found this statement in the network endpoint groups overview documentation which I thought explained why I was getting the error:
“ IAP isn't compatible with Cloud CDN. IAP is not supported with regional external Application Load Balancers and proxy Network Load Balancers (internal and external). ”
However, a Google SME has confirmed that this is incorrect, and the documents will be updated to remove this misinformation.
That being said, I am not sure how to proceed in finding the cause of this error, I'm not finding much information on IAP use with RXLB's.
My first instinct is that this has something to do with the RXLB utilizing a proxy-only subnet, as this is the only clear distinction between the GXLB and the RXLB that I am aware of.
Would you know what is causing this error to be produced? If not, any tips on debugging this? We're eager and excited to get the app deployed for production use in our org and this is the last blocker before we can do so.
Additional context:
Any help on this issue would be greatly appreciated, thank you in advance!