Channels
announcements
ask-marvin
best-practices-coordination-plane
data-ecosystem
data-tricks-and-tips
events
find-a-prefect-job
geo-bay-area
geo-berlin
geo-boston
geo-chicago
geo-colorado
geo-dc
geo-israel
geo-japan
geo-london
geo-nyc
geo-seattle
geo-texas
gratitude
introductions
marvin-in-the-wild
pacc-clearcover-june-12-2023
pacc-may-31-2023
ppcc-may-16-2023
prefect-ai
prefect-aws
prefect-azure
prefect-cloud
prefect-community
prefect-contributors
prefect-dbt
prefect-docker
prefect-gcp
prefect-getting-started
prefect-integrations
prefect-kubernetes
prefect-recipes
prefect-server
prefect-ui
random
show-us-what-you-got
Title
m
Mckelle
06/02/2021, 9:13 PMHi all. I've been working on setting up Prefect Server in GCP and wanted to see if anyone had successfully secured it under Identity Aware Proxy?
I've set it up on a VM and have created a load balancer that directs traffic from my domain to the port 8080 on the VM to access the UI. Initially, when connecting graphql (4200) to the UI, I tried to just set it to the VM IP address:4200, but that was denied because it is HTTP and the domain is https so chrome throws an error saying it's not secure.
To fix that error, I then made a second backend service on the Load Balancer pointing to port 4200 and created a subdomain for that port. I set the subdomain as my Prefect Server Graphql endpoint in the UI and that resolved the first issue.
However, the issue with this is that as soon as I turn on Identity Aware Proxy for both the UI and Graphql backend service, I get a CORS error.
Access to manifest at '<https://accounts.google.com/o/oauth2/v2/auth?…>' (redirected from '<http://maindomain.com|maindomain.com>') from origin '<http://maindomain.com|maindomain.com>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.n
nicholas
06/02/2021, 9:47 PMHi @Mckelle - securing Prefect Server is out of scope for the support our engineers can provide here but anyone in the community is free to chime in (there have been similar threads in the past that might be worth a look).
For a managed solution with a full authentication layer and security out of the box, I'd encourage you check out Prefect Cloud!
j
Joël Luijmes
06/03/2021, 6:45 AMYes, I’m running prefect behind IAP in GCP. And it works kinda great 🙂
However, as the UI isn’t aware of IAP, it won’t send the cookies to graphql and IAP responds with 403 and/or you get weird CORS errors. To circumvent it, I did the following:
1. Created reverse nginx proxy. This proxy tunnels to prefect-ui and prefect-apollo (when url matches /graphql/apollo)
2. On this deployment, create the LB and enable IAP.
3. Boehm works like magic 🙂
however, sometimes the UI doesn’t load, or apollo is yielding 403's. When this happens, you have to clear the IAP cookies and refresh to sign in again.
Unfortunately skipping 1 doesn’t work (i.e. trying to create LB which routes to UI and Apollo based on path). I think this might be limitation of IAP but then 403's are returned.
m
Mckelle
06/03/2021, 6:08 PM@Joël Luijmes I'll look into doing this! Thank you so much