Short Version:
I have configured a backend bucket on my load balancer and mapped it to /__/auth/, that bucket contains a publicly acessable file named handler, but when I hit /__/auth/handler I get an error XML with The specified key does not exist.
UPDATE: I think this issue is probably caused by this other issue: GCP load balancer url re-writing and backend-mapping not happening the way I'd expect
In GCP I am trying to publicly host some files on my domain using a backend bucket as one of the backends for my classic application load balancer. Specifically, I'm trying to host some of Firebase's auth files on my domain so that I can use them for a same-origin oauth redirect per Google's recommended option 4 here. (Google's sample server implementation just statically serves these, so I figure I can get away with letting a storage bucket do that for me for now.)
Bucket Backend: I have configured a bucket backend, with this "equivalent code"
PUT https://compute.googleapis.com/compute/v1/projects/<My Project>/global/backendBuckets/<My Backend Bucket Name>
{
"bucketName": "<My Bucket Name>",
"cdnPolicy": {
"cacheMode": "CACHE_ALL_STATIC",
"clientTtl": 3600,
"defaultTtl": 3600,
"maxTtl": 86400,
"negativeCaching": false,
"requestCoalescing": true,
"serveWhileStale": 0
},
"compressionMode": "DISABLED",
"description": "Per option 3 here: \nhttps://cloud.google.com/identity-platform/docs/web/redirect-best-practices",
"enableCdn": true,
"name": "<My Backend Bucket Name>",
"usedBy": [
{
"reference": "https://www.googleapis.com/compute/beta/projects/<My Project>/global/urlMaps/<My URL MAP>"
}
]
}
Url Map: I have configured a mapping to the bucket backend on my load balancer:
pathMatchers:
- defaultService: https://www.googleapis.com/compute/v1/projects/<My Project>/global/backendServices/<My Main Backend>
name: path-matcher-1
pathRules:
- paths:
- /__/auth/*
service: https://www.googleapis.com/compute/v1/projects/<My Project>/global/backendBuckets/<My Bucket Backend Name>
Permissions: I have also granted the principal allUsers the Storage Object Viewer role on the bucket, and the cloud console UI shows the "Public to internet" warnings.
My bucket has Permissions/Access control set to Uniform, so allUsers should be granted that role on the objects in the bucket as well.
Objects: One of the objects in the bucket is named handler. It has type application/octet-stream and under "Public Access" also shows the "Public to internet" warning. It's gs link is gs://<Bucket Name>/handler
Problem: The problem is that when I try any of these urls __/auth/handler, __/auth/<Bucket Name>/handler, and a few other variations, I get back the same error XML:
<Error>
<Code>NoSuchKey</Code>
<Message>The specified key does not exist.</Message>
</Error>
Clearly my Bucket Backend is being hit, since this is a cloud storage error and I can see in my load balancer's monitoring page that traffic is being routed to the backend bucket.
Questions
It turns out the path was completely getting stripped away. I discovered that and then posted this question. Ultimately chat GPT gave me an alternate configuration that prevented this. I posted that code here.