I have followed the steps in Kubernetes Engine for Kubeflow.
The deployment went fine and all pods/services are up, including the endpoint at
https://<name>.endpoints.<project>.cloud.goog/, with the correct
<project> of course.
When I went to the above url, I was redirected to a "Sign in with Google" page. I assumed that OAuth was also configured correctly.
However, after signing in, I was shown an Access Denied page below.
Is there another way to provide access? I thought it was handled by OAuth.
The deployment created by
kfctl.sh in "Deploy Kubeflow on GKE using the command line" also creates a load balancer resource for the ingress into the cluster and secures it using Cloud Identity-Aware Proxy (IAP).
To allow access to the resource for new users, go to:
Google Cloud Console > IAM & Admin > Identity-Aware Proxy
Select the desired resource and click "Add Member".
Fill in the user in the "Access Denied" page and select "Cloud IAP > IAP-Secured Web App User" for role.
Once the policy change is propagated, the user will be able to access the URL successfully.