After configuring IAP for Cloud Run, login works but then after that I get a 403 http status saying that:
The request was not authenticated. Either allow unauthenticated invocations or set the proper Authorization header. Read more at https://cloud.google.com/run/docs/securing/authenticating Additional troubleshooting documentation can be found at: https://cloud.google.com/run/docs/troubleshooting#unauthorized-client
Following the documentation links and for my needs, I ended up in this documentation: https://cloud.google.com/iap/docs/enabling-cloud-run#turning_on
All the steps are done except the last one that suggests adding the cloud run invoker role to the IAP service account, but the problem is that SA doesn't exist in my project's IAM. And I don't have enough role to create that identity with this command:
gcloud beta services identity create --project PROJECT_ID --service iap
Any suggestions ?
The SA for IAP is present by default but it doesn't show up until you grant it at least one role, so using the gcloud CLI was the solution.