How to provide access to Kubeflow on GKE?


I have followed the steps in Kubernetes Engine for Kubeflow.

The deployment went fine and all pods/services are up, including the endpoint at https://<name>.endpoints.<project>, with the correct <name> and <project> of course.

When I went to the above url, I was redirected to a "Sign in with Google" page. I assumed that OAuth was also configured correctly.

However, after signing in, I was shown an Access Denied page below.

Is there another way to provide access? I thought it was handled by OAuth.

Access Denied

-- Azmi Kamis

1 Answer


The deployment created by in "Deploy Kubeflow on GKE using the command line" also creates a load balancer resource for the ingress into the cluster and secures it using Cloud Identity-Aware Proxy (IAP).

To allow access to the resource for new users, go to:

Google Cloud Console > IAM & Admin > Identity-Aware Proxy

Select the desired resource and click "Add Member".

Fill in the user in the "Access Denied" page and select "Cloud IAP > IAP-Secured Web App User" for role.

Once the policy change is propagated, the user will be able to access the URL successfully.

-- Azmi Kamis
Source: StackOverflow