Enabling a custom domain on an App Engine service is now a breeze, so is enabling IAP (Google Identity-Aware Proxy) 👌 But, I can't figure out how to get IAP and my custom domain to work together!
https://myservice-dot-myapplication.appspot.com and https://myservice.mydomain.com are triggering the IAP consent screen where I can login through an appropriate user (as configured in IAP Role/Member)https://myservice-dot-myapplication.appspot.com will let me see my app after loginhttps://myservice.mydomain.com will consistently deny me access with the You don't have access message, just like if I log in through a Gmail account which is not authorized by the IAP configurationIf I disable IAP, I can go through both domains (without authentication of course, which is not desired) and confirm that the custom domain is indeed working with an appropriate and auto-generated certificate. It feels like I missed an option in IAP to configure an alias domain or something like that, but I can't find that option.
What did I miss? Or is it simply not possible to get IAP to work with a custom domain at the moment? Thanks for your help! ❤️
NB: The Domain Names Have Been Changed to Protect the Innocent.
If you are using automatic certificate management, it's likely that https://myservice.mydomain.com isn't actually routing to the service you expect.
Custom domain mappings always route to the default service by default. A wildcard domain can automatically route to other versions or services when they match the "*" part of the mapping (see https://cloud.google.com/appengine/docs/standard/nodejs/mapping-custom-domains#wildcard_mappings). Unfortunately, automatic certificate management is not yet supported for wildcard domains.
As long as you don't have too many services to route to, there is a way to use managed certificates and still route to multiple services: