I’m working on a web application that uses Vertex AI Search and I want to host it on Google App Engine. Everything seems to work fine locally, but when I deploy to App Engine I get an authorization error.
My setup
I have a simple Flask application that serves an HTML page with the Vertex AI search widget. Here’s my code:
app.py
from flask import Flask, render_template
import os
application = Flask(__name__)
@application.route("/", methods=['GET', 'POST'])
def home():
return render_template("search.html")
if __name__ == '__main__':
application.run(host="0.0.0.0", port=int(os.environ.get("PORT", 8080)), debug=False)
This authorization error caught me off guard when I first deployed my search application too. The domain whitelisting mentioned above is correct, but I wanted to add that you might also run into issues if you have multiple versions of your App Engine service running. When you deploy new versions, App Engine creates URLs like 20231201t123456-dot-myapp.uc.r.appspot.com for versioned deployments. If you’re testing different versions, you’ll need to either add each versioned URL to your allowed domains or stick to using the default service URL. Also worth noting that if you’re planning to use a custom domain later, the authorization needs to be updated before you switch over. I learned this the hard way when our search broke right after we moved to our company domain. The configuration change is immediate though, so no downtime once you add the new domain to the whitelist.
I encountered this exact scenario when deploying our document search portal six months ago. The domain authorization is definitely the culprit here, but there’s one additional step that tripped me up initially. After adding your App Engine domain to the allowed domains in Vertex AI Search console, make sure to check the CORS settings as well. Sometimes the widget fails silently if the CORS policy isn’t properly configured for your appspot.com domain. Also, if you’re using IAM service accounts for your App Engine app, verify that the default service account has the necessary Discovery Engine permissions. I had to grant our App Engine service account the “Discovery Engine Editor” role before everything worked smoothly. The error message you’re seeing is typically just the domain restriction, but having the proper IAM setup prevents other authentication issues down the line.
Quick tip - dont forget to check if you have any firewall rules blocking the widget. i had everything whitelisted correctly but our app engine firewall was still rejecting the requests from vertex ai servers. check your app.yaml ingress settings too
had same issue last month. you need to whitelist your appengine domain in the vertex ai search console. go to your search config settings and add your appspot.com url to the allowed domains list. works immediately after that
Yeah this is a classic domain authorization problem. I ran into this exact same thing when we migrated our internal search tool to App Engine last year.
The issue is that Vertex AI Search has domain restrictions by default. Your local development works because localhost is usually allowed, but production domains need explicit authorization.
Here’s what you need to do:
Go to the Google Cloud Console
Navigate to Vertex AI Search & Conversation
Find your search app configuration
Look for “Allowed domains” or “Domain restrictions” settings
Add your App Engine domain: myapp.uc.r.appspot.com
One thing to watch out for - if you’re using custom domains later, you’ll need to add those too. Also make sure you’re adding the exact domain format that shows in the error message.
I’ve seen this setup work really well for enterprise search applications. Here’s a practical walkthrough that covers the whole process:
After you update the domain settings, it should work right away. No need to redeploy your app.
