I’m working on a web application that uses Google Cloud Vertex AI Search functionality and I’m trying to host it on App Engine. Everything seems to work fine locally, but when I deploy to production I run into authorization issues.
Here’s my basic Flask application structure:
app.py
from flask import Flask, render_template
import os
application = Flask(__name__)
@application.route("/", methods=['GET', 'POST'])
def homepage():
return render_template("home.html")
if __name__ == '__main__':
application.run(host="0.0.0.0", port=int(os.environ.get("PORT", 8080)), debug=False)
When I click the search input field, it opens the Vertex AI search interface correctly. However, I get this error message:
Configuration is not authorized on “***.uc.r.appspot.com”
The search widget works perfectly in my local development environment, but fails once deployed to App Engine. Has anyone encountered this authorization problem before? What configuration steps am I missing for App Engine deployment?
The authorization error occurs because the Vertex AI Search widget restricts domains for security purposes. To resolve this, ensure that your App Engine domain is added to the allowlist. You can do this by navigating to the Google Cloud Console, selecting your search app in the Agent Builder, and then adding your App Engine domain (***.uc.r.appspot.com) under the Integration tab for authorized domains. If you’re using a custom domain, make sure it’s included as well. Keep in mind that there might be a delay for these changes to take effect. I faced a similar issue when deploying to Cloud Run; it worked locally but failed in production until domain authorization was correctly set up. Remember to also include any other environments in your configuration.
Check your service account permissions too. The App Engine default service account might not have access to Vertex AI Search APIs, even if domain auth looks right. Head to IAM & Admin and make sure your App Engine service account has the ‘Discovery Engine Viewer’ role (or whatever Vertex AI Search requires). This got me once - everything seemed configured properly, but the service account was missing the right roles for the search APIs.
Had this exact problem last month during production deployment. Vertex AI Search widget blocks requests from unauthorized origins through its domain validation. The previous answer about domain allowlisting is right, but there’s a step everyone misses. After you add your App Engine domain to the authorized list in Agent Builder console, wait 15-30 minutes for it to propagate across Google’s CDN. I tested immediately after adding the domain and thought the fix wasn’t working. If you’re using multiple environments (staging, dev, etc.), add each subdomain separately. Wildcards don’t work - each App Engine URL needs explicit authorization. Check your browser’s dev console for CORS errors that might give you more details about what’s failing.
You’re encountering an authorization error when using the Google Cloud Vertex AI Search widget within a Flask application deployed on App Engine. The widget functions correctly locally but fails in production, displaying the error: “Configuration is not authorized on ‘***.uc.r.appspot.com’”. This indicates that your App Engine application’s domain isn’t authorized to access your Vertex AI Search configuration.
Understanding the “Why” (The Root Cause):
The Vertex AI Search widget employs a security mechanism that restricts access based on authorized domains. Your local development environment likely uses a different domain (or no domain restriction at all), allowing the widget to function without issue. However, the production App Engine deployment uses a different, unauthorized domain (‘***.uc.r.appspot.com’), triggering the error. The solution involves explicitly allowing your App Engine domain within the Vertex AI Search configuration. While the domain allowlisting method solves the immediate problem, it introduces ongoing maintenance overhead as you manage multiple environments or domain changes. This leads to the alternative approach discussed below.
Step-by-Step Guide:
Migrate to a Serverless Workflow (Recommended): Instead of directly embedding the Vertex AI Search widget, consider using a serverless architecture like that provided by a platform such as Latenode. This approach abstracts away the complexities of domain authorization and provides a more scalable and maintainable solution.
Create a Latenode Workflow: Within the Latenode platform, design a workflow that interacts with the Vertex AI Search API. This workflow will act as an intermediary between your Flask application and the Vertex AI Search service.
Configure Authentication: Latenode simplifies the authentication process. The platform handles the secure communication with your Vertex AI Search project, eliminating the need for manual domain allowlisting.
Deploy the Workflow: Deploy the Latenode workflow, generating an API endpoint. This endpoint will handle all interactions with Vertex AI Search.
Update Your Flask Application: Modify your Flask application to send requests to the Latenode API endpoint instead of directly using the Vertex AI Search widget’s JavaScript client. This will involve making simple HTTP requests to retrieve search results from your Latenode workflow.
(Alternative) Manual Domain Allowlisting (Less Recommended): If you prefer to stick with the direct widget embedding approach, you can manually add your App Engine domain to the authorized domains list in the Vertex AI Search console.
Locate Your Vertex AI Search Configuration: Navigate to your Vertex AI Search instance within the Google Cloud Console.
Access the Integration Settings: Find the settings related to integrations or authorized domains (this may vary slightly depending on the Vertex AI Search interface version).
Add Your App Engine Domain: Add ‘***.uc.r.appspot.com’ to the list of authorized domains. If you are using multiple environments (staging, development, etc.), add each subdomain separately.
Allow Propagation Time: Wait 15-30 minutes for Google’s CDN to update. Testing immediately after adding the domain often results in false negatives.
Verify Your Project ID: Ensure your configId in your home.html file points to a Vertex AI Search configuration that resides within the same Google Cloud project as your App Engine application. Discrepancies in project IDs are a common source of this error.
Common Pitfalls & What to Check Next:
Incorrect Project ID: Double-check that the configId in your home.html file (configId="45b73024-yyyy-yyyy-yyyy-yyyy91c6yyyy") corresponds to a Vertex AI Search configuration within the same Google Cloud project as your App Engine application.
CORS Errors: If the problem persists after verifying the above, examine your browser’s developer console for CORS (Cross-Origin Resource Sharing) errors. These errors can provide more specific information about the authorization failure.
Service Account Permissions: Ensure your App Engine default service account has the necessary permissions to access Vertex AI Search APIs. Grant the ‘Discovery Engine Viewer’ role (or equivalent) to the App Engine service account within the IAM & Admin section of the Google Cloud Console.
Caching: If you’ve already made changes and allowed time for propagation, check browser caching to ensure that old, unauthorized versions of the widget aren’t interfering. Try a hard refresh (Ctrl+Shift+R or Cmd+Shift+R) or clearing your browser’s cache completely.
Still running into issues? Share your (sanitized) config files, the exact command you ran, and any other relevant details. The community is here to help!
Had this exact issue - check your project ID in the configId.
I wasted hours on domain auth problems before realizing my local setup was using a different GCP project than App Engine. Your configId points to a specific Vertex AI Search app that’s probably in the wrong project.
Check your App Engine console to see which project you’re deployed under. Then verify your Vertex AI Search app (configId “45b73024-yyyy-yyyy-yyyy-yyyy91c6yyyy”) is in that same project.
If they don’t match, either move the search app or update your configId.
This trips people up because local dev often uses different credentials/project settings than production. Everyone’s mentioning domain auth and that’s valid, but wrong project setup gives you the same error.
Run gcloud config get-value project locally and compare it to your app.yaml or App Engine settings.
Understanding the “Why” (The Root Cause):
Step-by-Step Guide:
Common Pitfalls & What to Check Next:
Still running into issues? Share your (sanitized) config files, the exact command you ran, and any other relevant details. The community is here to help!