Mckelle

    Mckelle

    1 year ago
    Hi all. I've been working on setting up Prefect Server in GCP and wanted to see if anyone had successfully secured it under Identity Aware Proxy? I've set it up on a VM and have created a load balancer that directs traffic from my domain to the port 8080 on the VM to access the UI. Initially, when connecting graphql (4200) to the UI, I tried to just set it to the VM IP address:4200, but that was denied because it is HTTP and the domain is https so chrome throws an error saying it's not secure. To fix that error, I then made a second backend service on the Load Balancer pointing to port 4200 and created a subdomain for that port. I set the subdomain as my Prefect Server Graphql endpoint in the UI and that resolved the first issue. However, the issue with this is that as soon as I turn on Identity Aware Proxy for both the UI and Graphql backend service, I get a CORS error.
    Access to manifest at '<https://accounts.google.com/o/oauth2/v2/auth?…>' (redirected from '<http://maindomain.com|maindomain.com>') from origin '<http://maindomain.com|maindomain.com>' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
    Does anyone have any experience with this or anything similar?
    nicholas

    nicholas

    1 year ago
    Hi @Mckelle - securing Prefect Server is out of scope for the support our engineers can provide here but anyone in the community is free to chime in (there have been similar threads in the past that might be worth a look). For a managed solution with a full authentication layer and security out of the box, I'd encourage you check out Prefect Cloud!
    Joël Luijmes

    Joël Luijmes

    1 year ago
    Yes, I’m running prefect behind IAP in GCP. And it works kinda great 🙂 However, as the UI isn’t aware of IAP, it won’t send the cookies to graphql and IAP responds with 403 and/or you get weird CORS errors. To circumvent it, I did the following:1. Created reverse nginx proxy. This proxy tunnels to prefect-ui and prefect-apollo (when url matches /graphql/apollo) 2. On this deployment, create the LB and enable IAP. 3. Boehm works like magic 🙂 however, sometimes the UI doesn’t load, or apollo is yielding 403's. When this happens, you have to clear the IAP cookies and refresh to sign in again.
    Unfortunately skipping 1 doesn’t work (i.e. trying to create LB which routes to UI and Apollo based on path). I think this might be limitation of IAP but then 403's are returned.
    Mckelle

    Mckelle

    1 year ago
    @Joël Luijmes I'll look into doing this! Thank you so much