Troubleshooting and frequently asked questions
This document provides troubleshooting guidance and answers to frequently asked questions about Identity-Aware Proxy (IAP).
Troubleshooting web sign-in
If you encounter errors during sign-in or when accessing your application,inspecting your browser's network traffic can help you diagnose the issue.
Inspecting network traffic
- Open a newIncognito (Chrome) orPrivate window in your browser.
- Open your browser's developer tools and go to theNetwork tab.
- Select thePreserve log option to capture all requests during redirects.
- Reproduce the issue by navigating to the URL where you're experiencing problems.
- Examine the network requests in the log to identify where the error occurred.
Analyzing network traffic
When you access an IAP-secured application, you're redirected tothe sign-in page. After successful authentication with the identity provider, arequest is made to thehttps://iap.googleapis.com domain to completeauthentication before an IAP cookie is issued and you'reredirected to the application.
You can troubleshoot errors based on the domain where the error occurs:
- Errors on
iap.googleapis.com: If an error occurs on theiap.googleapis.comdomain, a detailed error message isdisplayed on the page. If the error is related to yourIAP settings, such as OAuth client issues,adjust your settings. If you encounter client errors that you don'tknow how to address, or if you see server errors, open aGoogle Cloud Support ticket. - Errors on your application domain: If an error occurs after you'reredirected to your IAP-secured application domain, anerror code is displayed. Reference theError codessection for details on common errors. If you cannot resolve the issue, openaGoogle Cloud Support ticket.
What apps can I secure with IAP?
IAP can be used with the following:
- App Engine standard environment and App Engine flexibleenvironment apps
- Compute Engine instances with HTTP(S) load balancing backend services
- Google Kubernetes Engine containers
- Cloud Run apps with HTTP(S) load balancing backend services
- Cloud Run with one clickand no load balancing backend services
IAPcannot be used withCloud CDN.
Why is there a # at the end of my URL after signing in to my app?
In some browsers and under certain conditions, a# may be appended to the URLafter authentication. This is normal and won't cause issues when logging in.
Why are my requests failing and returning405 Method Not Allowed?
This typically happens when cookies aren't attached to your requests. JavaScriptmethods don't attach cookies by default.
Different request methods require different approaches:
- For
XMLHttpRequest,setwithCredentialstotrue. - For theFetchAPI,set
credentialstoincludeorsame-origin.
For handling session-related errors, seeManaging IAPsessions.
Why am I receiving anHTTP 401 Unauthorized instead of a302 Redirect?
IAP sends a302 Redirect only when your client is configured tohandle redirects.
AddHTTP Accept="text/html,*/*" to your request headers to indicate supportfor redirects.
Why aren't POST requests triggering redirects?
Browsers don't redirect in response to POST requests. Instead,IAP returns a401 Unauthorized status code.
For POST requests to IAP-secured resources, include either of the following:
- An ID token in an
Authorization: Bearerheader - Valid cookies (seerefreshingsessions)
Can I use IAP if I have disabled the API?
Yes, resources secured by IAP remain accessible when the APIis disabled, but you won't be able to modify IAM permissions.
How can I prevent users with the Owner role from using IAP for TCP?
Ideally, limit use of the Owner (roles/owner) role in favor of more granularpermissions. SeeIAM bestpractices for guidance.
If that's not possible, you can block IAP for TCP usingFirewall rules.
What domain does IAP for TCP use?
IAP uses the following Google-owned domains:
tunnel.cloudproxy.appmtls.tunnel.cloudproxy.app(whencertificate-based accessis enabled)
Why am I receivingServer Error?
If you see:
The server encountered a temporary error and could not complete your request. Please try again in 30 seconds.It's possible that your firewall may be blocking the load balancer IPs.
Check that your firewall allows traffic from130.211.0.0/22 and35.191.0.0/16. If these IPs can't reach your backend, your applications willbe inaccessible.
For IAP TCP connections to specific VMs, also ensure the VMaccepts connections from the35.235.240.0/20 range.
Why am I receiving intermittent internal server errors?
Messages likeAn internal server error occurred while authorizing your request.Error code X indicate backend failures.
Error codes1,30,62,63,64, or703 typically reflect transientissues. Implement exponential backoff for retries.
How can I address quota exceeded errors (Error code 429)?
Error code 429 occurs when your application exceeds IAP'srequest limits. The service enforces separate quotas:
- Browser-based requests: 360,000 per minute per project
- Programmatic requests: 360,000 per minute per project
A programmatic request is one that includes anAUTHORIZATION orPROXY-AUTHORIZATION header and no IAP cookie. All other requests (includingthose with no credentials) are considered browser requests.
These limits apply collectively to all IAP-protectedresources in your project.
If you're experiencing quota-related errors, consider these solutions:
- Avoid load testing in production. Instead, use alternative network paths that bypassIAP.
- For service-to-service traffic, implement exponential backoff to handle 429errors gracefully.
- Distribute high-traffic applications across multiple projects.
- Use Apigee or similar API gateway solutions for API-basedapplications.
- ContactGoogle Cloud Support for quota increases iforganic growth is causing the issue.
Error codes
The following table lists common error codes and messages that return whenconfiguring and using IAP.
| Error code | Description | Troubleshooting |
|---|---|---|
| 7 | Empty OAuth client ID or secret | Visit theCredentials page to verify your client ID and secret. If they appear correct but aren't working, use API methods to check settings (GET for Compute Engine,GET for App Engine) and reset them withPATCH. |
| 9 | Failed OAuth redirect | This is an internal error that has been logged automatically. No action is required on your part. |
| 9 (with path rewrite rules) | Failed OAuth redirect | Your load balancer's path rewrite rules are preventing OAuth completion. Make sure all backends behind your load balancer use identical OAuth client IDs. You can update this using thegcloud compute backend-services update command. |
| 9 (with path routing rules) | Failed OAuth redirect | Create path rule variants for both versions of each path (with and without trailing slashes) and direct them to the same backend. For example, include rules for both/path/ and/path. |
| 11 | Incorrectly configured OAuth client ID | Check your client ID and secret in theCredentials page. If they appear correct but aren't working, use API methods to check settings (GET for Compute Engine,GET for App Engine) and reset them withPATCH. |
| 13 | Invalid OIDC token | Go to theCredentials page to confirm your client ID hasn't been deleted or modified incorrectly. |
| 51 | Browser lacks connection pooling support | Ask end users to update their browsers to current versions. For more details about connection requirements, seeRestrict resource access. |
| 52 | Hostname/SSL certificate mismatch | Your system administrator needs to update the SSL certificate to match the hostname. Refer toRestrict resource access for guidance. |
| 52 (with primary certificate map entry) | Hostname/SSL certificate mismatch | IAP does not support primary certificate map entries. Use separate entries to map each certificate to the correct hostname. SeeCreate a certificate map entry for guidance. |
| 53 | Hostname not in allowed domains | An administrator must add your hostname to the allowed domains list. SeeRestrict resource access for instructions. |
| 253, HTTP 429 | Request quota exceeded | You've reached the request limits (360,000/min for each request type). Consider distributing workloads across multiple projects, implementing client-side request throttling, or contactingSupport for quota increases if needed for legitimate growth. |
| 551 | IAP enabled in multiple places | You can't enable IAP on both forwarding rule and backend service. Disable it on one location following the guidance inEnable for Compute Engine. |
| 700, 701 | Workforce pool provider issues | Configure exactly one provider for your workforce pool. ReviewWorkforce pools limitations for detailed requirements. |
| 705 | Missing OAuth client ID for workforce identity | Follow the complete setup process: firstcreate an OAuth client ID, thenupdate your IAP settings. |
| 708 | Invalid workforce pool name | Verify your workforce pool exists and uses the correct format:locations/global/workforcePools/WORKFORCE_POOL_ID. |
| 4003 | Connection or firewall issue | Check that your VM process is running and listening on the expected port. Also verify that yourfirewall rules allow connections on that port. |
| 4010 | Connection closed by destination | Reset the VM. If problems persist, examineauth.log (usually in/var/log/) or use theserial console for more detailed diagnostics. |
| 4033 | Permission, existence, or VM state issue | Confirm you have the Tunnel User role assigned for the resource through theIAP page, and verify the VM exists and is running. |
| 4047 | Instance doesn't exist or is stopped | Make sure your VM is powered on and has fully completed its startup sequence. |
If you're unable to resolve your issue, or you don't see your error listed onthis page, then contact Cloud Customer Care with a description of the error and theresponse you get from aGET call to the API. Ensure that you remove yourclient secret from the response.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.