Open jal06 opened 3 years ago
Thanks for the detailed instructions @jal06!
I'm not 100% sure, but I guess the problem is after step 4.
I set IAP_CLIENT_ID (parameter --data audience) using the client I created when setting up OAuth for Cloud IAP before deploying Kubeflow as described here .
This is incorrect. You should create another OAuth client of desktop application type. The client you set up for Cloud IAP during the deployment process is meant to only used by Kubeflow to verify incoming requests from IAP.
I think you can refer to documentation for connecting to Kubeflow Pipelines protected by IAP: https://www.kubeflow.org/docs/gke/pipelines/authentication-sdk/#connecting-to-kubeflow-pipelines-in-a-full-kubeflow-deployment.
It should be similar.
This can likely be caused by https://github.com/kubeflow/gcp-blueprints/pull/177#issuecomment-756124781. I should try to figure out a solution to https://github.com/kubeflow/gcp-blueprints/issues/176 first, then come to this one
This issue is a following of issue #https://github.com/kubeflow/kfserving/issues/1199 from KFServing I deployed Kubeflow 1.1 on GCP, and also installed the istio local gateway as described in #https://github.com/kubeflow/gcp-blueprints/pull/177
I would like to use KFServing and followed the instructions from the sample gcp_iap described here
I successfully deployed the inference service sklearn-iap-no-authz.yaml and successfully sent query to this inference service Then, I successfully deployed the inference service sklearn-iap-with-authz.yaml. However I get an error "
Service account does not have permission to access the IAP-protected application
(error 403 raised in iap_request.py
)Before sending request to inferenceservice, I followed the documentation https://cloud.google.com/iap/docs/authentication-howto and it looks working regarding IAP auth. Below are the steps I did
Service account <kfname>-user@<project_id>.iam.gserviceaccount.com does not have permission to access the IAP-protected application
. The service account I'd like to use is the sa which is automatically created when deploying Kubeflow, with a name like<kfname>-user@<project_id>.iam.gserviceaccount.com
This service account has the roles "Editor" , "IAP-secured Web App User" and "Viewer" for the resources described in the Cloud IAP page (ressourceskube-system/default-http-backend
andistio-system/istio-ingressgateway
)I don't know what is wrong. Any help would be appreciated.
Below are some additional details : In step 4 (getting the id_token), I set IAP_CLIENT_ID (
parameter --data audience
) using the client I created when setting up OAuth for Cloud IAP before deploying Kubeflow as described here . Please, could you confirm that this is the right client_id ? In step 5, when using the commandcurl --verbose --header 'Authorization: Bearer ID_TOKEN' URL
, I received a return code 302In step 6, I set the environment as below in
make-prediction.sh
: