This document contains frequently asked questions about Identity-Aware Proxy (IAP).
What apps can I secure with IAP?
IAP can be used with the following:
- App Engine standard environment and App Engine flexible environment apps
- Compute Engine instances with HTTP(S) load balancing backend services
- Google Kubernetes Engine containers
- Cloud Run apps with HTTP(S) load balancing backend services
IAP cannot be used with Cloud CDN.
Why is there a # at the end of my URL after signing in to my app?
In some browsers and under certain conditions, a # may be appended to the URL
after authentication. This is normal and won't cause issues when logging in.
Why are my requests failing and returning 405 Method Not Allowed?
This typically happens when cookies aren't attached to your requests. JavaScript methods don't attach cookies by default.
Different request methods require different approaches:
- For
XMLHttpRequest, setwithCredentialstotrue - For the Fetch
API,
set
credentialstoincludeorsame-origin
For handling session-related errors, see Managing IAP sessions.
Why am I receiving an HTTP 401 Unauthorized instead of a 302 Redirect?
IAP sends a 302 Redirect only when your client is configured to
handle redirects.
Add HTTP Accept="text/html,*/*" to your request headers to indicate support
for redirects.
Why aren't POST requests triggering redirects?
Browsers don't redirect in response to POST requests. Instead,
IAP returns a 401 Unauthorized status code.
For POST requests to IAP-secured resources, include either of the following:
- An ID token in an
Authorization: Bearerheader - Valid cookies (see refreshing sessions)
Can I use IAP if I have disabled the API?
Yes, resources secured by IAP remain accessible when the API is disabled, but you won't be able to modify IAM permissions.
How can I prevent users with the Owner role from using IAP for TCP?
Ideally, limit use of the Owner (roles/owner) role in favor of more granular
permissions. See IAM best
practices for guidance.
If that's not possible, you can block IAP for TCP using Firewall rules.
What domain does IAP for TCP use?
IAP uses the following Google-owned domains:
tunnel.cloudproxy.appmtls.tunnel.cloudproxy.app(when certificate-based access is enabled)
Why am I receiving Server Error?
If you see:
The server encountered a temporary error and could not complete your request. Please try again in 30 seconds.
It's possible that your firewall may be blocking the load balancer IPs.
Check that your firewall allows traffic from 130.211.0.0/22 and
35.191.0.0/16. If these IPs can't reach your backend, your applications will
be inaccessible.
For IAP TCP connections to specific VMs, also ensure the VM
accepts connections from the 35.235.240.0/20 range.
Why am I receiving intermittent internal server errors?
Messages like An internal server error occurred while authorizing your request.
Error code X indicate backend failures.
Error codes 1, 30, 62, 63, 64, or 703 typically reflect transient
issues. Implement exponential backoff for retries.
How can I address quota exceeded errors (Error code 429)?
Error code 429 occurs when your application exceeds IAP's request limits. The service enforces separate quotas:
- Browser-based requests: 360,000 per minute per project
- Programmatic requests: 360,000 per minute per project
A programmatic request is one that includes an AUTHORIZATION or
PROXY-AUTHORIZATION header and no IAP cookie. All other requests (including
those with no credentials) are considered browser requests.
These limits apply collectively to all IAP-protected resources in your project.
If you're experiencing quota-related errors, consider these solutions:
- Avoid load testing in production - use alternative network paths that bypass IAP
- For service-to-service traffic, implement exponential backoff to handle 429 errors gracefully
- Distribute high-traffic applications across multiple projects
- Use Apigee or similar API gateway solutions for API-based applications
- Contact Google Cloud Support for quota increases if organic growth is causing the issue
Error codes
The following table lists common error codes and messages that return when configuring and using IAP.
| Error code | Description | Troubleshooting |
|---|---|---|
| 7 | Empty OAuth client ID or secret | Visit the Credentials page to verify your client ID and secret. If they appear correct but aren't working, use API methods to check settings (GET for Compute Engine, GET for App Engine) and reset them with PATCH. |
| 9 | Failed OAuth redirect | This is an internal error that has been logged automatically. No action is required on your part. |
| 9 (with path rewrite rules) | Failed OAuth redirect | Your load balancer's path rewrite rules are preventing OAuth completion. Make sure all backends behind your load balancer use identical OAuth client IDs. You can update this using the gcloud compute backend-services update command. |
| 9 (with path routing rules) | Failed OAuth redirect | Create path rule variants for both versions of each path (with and without trailing slashes) and direct them to the same backend. For example, include rules for both /path/ and /path. |
| 11 | Incorrectly configured OAuth client ID | Check your client ID and secret in the Credentials page. If they appear correct but aren't working, use API methods to check settings (GET for Compute Engine, GET for App Engine) and reset them with PATCH. |
| 13 | Invalid OIDC token | Go to the Credentials page to confirm your client ID hasn't been deleted or modified incorrectly. |
| 51 | Browser lacks connection pooling support | Ask end users to update their browsers to current versions. For more details about connection requirements, see Restrict resource access. |
| 52 | Hostname/SSL certificate mismatch | Your system administrator needs to update the SSL certificate to match the hostname. Refer to Restrict resource access for guidance. |
| 53 | Hostname not in allowed domains | An administrator must add your hostname to the allowed domains list. See Restrict resource access for instructions. |
| 429 | Request quota exceeded | You've reached the request limits (360,000/min for each request type). Consider distributing workloads across multiple projects, implementing client-side request throttling, or contacting Support for quota increases if needed for legitimate growth. |
| 551 | IAP enabled in multiple places | You can't enable IAP on both forwarding rule and backend service. Disable it on one location following the guidance in Enable for Compute Engine. |
| 700, 701 | Workforce pool provider issues | Configure exactly one provider for your workforce pool. Review Workforce pools limitations for detailed requirements. |
| 705 | Missing OAuth client ID for workforce identity | Follow the complete setup process: first create an OAuth client ID, then update your IAP settings. |
| 708 | Invalid workforce pool name | Verify your workforce pool exists and uses the correct format: locations/global/workforcePools/WORKFORCE_POOL_ID. |
| 4003 | Connection or firewall issue | Check that your VM process is running and listening on the expected port. Also verify that your firewall rules allow connections on that port. |
| 4010 | Connection closed by destination | Reset the VM. If problems persist, examine auth.log (usually in /var/log/) or use the serial console for more detailed diagnostics. |
| 4033 | Permission, existence, or VM state issue | Confirm you have the Tunnel User role assigned for the resource through the IAP page, and verify the VM exists and is running. |
| 4047 | Instance doesn't exist or is stopped | Make sure your VM is powered on and has fully completed its startup sequence. |
If you're unable to resolve your issue, or you don't see your error listed on
this page, then contact Cloud Customer Care with a description of the error and the
response you get from a GET call to the API. Ensure that you remove your
client secret from the response.