Error when using IAP external identities sign-in page

Question

I have an application that need to be protected by IAP, so I started external identities.

From GCP console, IAP created a sign-in page on Cloud Run.

When accessing to my application Sign-in page throws an error as: "The bucket is not existed" in Cloud Run log. My account already had storage admin role when creating Cloud Run Sign-in Page.

On browser when redirecting, I got this error message:

Requests from referer https://<iap-sign-in-page>-an.a.run.app/ are blocked.

I also got this error "API_KEY_HTTP_REFERRER_BLOCKED" when access <cloud-run-sign-in-page-url>/admin

{"error":{"code":403,"message":"Requests from referer https://<iap-sign-in-page>-an.a.run.app/ are blocked.","errors":[{"message":"Requests from referer https://<iap-sign-in-page>-an.a.run.app/ are blocked.","domain":"global","reason":"forbidden"}],"status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"API_KEY_HTTP_REFERRER_BLOCKED","domain":"googleapis.com","metadata":{"consumer":"projects/XXXXX","service":"identitytoolkit.googleapis.com"}}]}}

The authui-container version was deployed for sign-in page is v0.1.11

What am I missing when creating Sign-in page? and how can I resolve this issue?

Thanks!

Answer 1

I solved this problem as below steps:

1. Go to GCP Console: API & Service -> Credentials -> Edit the API Key is used for IAP
2. Adding Sign-in page URL and firebase app URL to Web Restrictions configuration

<Sign-in page Cloud Run URL>/*

<your-project>.firebaseapp.com/*