Spinnaker authentication using IAP


We are trying to enable authentication in Spinnaker using IAP.

  • Spinnaker is deployed in GKE using HAL
  • Deck and Gate are exposed to different domains using Ingress and HTTPS is enabled for both.
  • IAP is enabled and credential is created.
  • HAL configurations for IAP have been done and redeployed. BaseURLs for UI & API have been set.
  • CORS pattern is set to the UI URL.

Now when i try to open the application, initially the redirects to https://accounts.google.com/o/oauth2/v2/auth?.… fails a few times (CORS error) before sending me to the log in page. Once logged in, my name appears in the welcome page of Spinnaker. After this stage all API (Gate) calls are failing with CORS error (Access to XMLHttpRequest at ‘https://spinnaker-api.abc.com/webhooks/preconfigured’ from origin ‘https://spinnaker.abc.com’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.). Same is the issue with Applications call as well.

We have set the baseURLs for UI as well as API. So ideally CORS should have been taken care of.

Any help would be highly appreciated.



@sweetib hi…i saw a few posts by you that says you have configured IAP for Spinnaker. Could you please give me directions on it. Thanks!!!


@bhavith I followed the official halyard commands as mentioned here https://www.spinnaker.io/reference/halyard/commands/#hal-config-security-authn-iap

Though we were not able to take IAP to production setup as it was having some bugs https://github.com/spinnaker/spinnaker/issues/3213

If you have not enabled fiat it should be fine. But I have done this on GCE deployment for Spinnaker, not GKE. The load balancer that you have exposed your gate/deck service on, you need to enable IAP on that load balancer. IAP is only supported on https global lb on GCP as far as I know.


thanks @sweetib!!! your inputs helped. I had to edit the .hal/default/service-settings/deck.yml file to make /gate proxy available.