Skip to main content
Join the official 2019 Python Developers SurveyStart the survey!

A tool for to manage Identity-Aware Proxy policy google cloud platform

Project description

Allow connection to instances on multiple criteria via Identity-Aware Proxy

Installation :

  pip install google-iap   

Prerequisites:

The service account used must have at least the roles Compute Viewer and IAP Policy Admin
You must authorize the Identity-Aware Proxy network (35.235.240.0/20) on port 22 as input to the desired network at the firewall

Example of use :

  google-iap iap get --credentials=service-account.json --project=<projectId>     

  google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone>     

  google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance>    

  google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=yaml    

  google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=json    

  google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.json    

  google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.yaml   

  google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --policy=POLICY_FILE.yaml    

  google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --policy=POLICY_FILE.yaml    

File example POLICY_FILE.yaml :

---
policy:
  bindings:
  - role: roles/iap.tunnelResourceAccessor
    members:
    - user:account@gmail.com
    condition:
      title: adm-ssh
      expression: "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"

File example POLICY_FILE.json :

{

  "policy": {

    "bindings": [

      {

        "role": "roles/iap.tunnelResourceAccessor",

        "members": ["user:account@gmail.com"],

        "condition": {

           "title": "adm-ssh",

           "expression": "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"

        }

      }

    ]

  }

}

You can show CEL expression -> https://cloud.google.com/iam/docs/conditions-overview?hl=ko#example_destination_ipport_expressions_for_cloud_iap_for_tcp_tunneling

Use :

  • Ssh tunneling :
    gcloud beta compute start-iap-tunnel <instance> 80 --local-host-port=localhost:8888 --network-interface=nic0 --zone=<zone>    
    
  • Ssh connection :
    gcloud beta compute ssh <instance> --tunnel-through-iap --zone=<zone>    
    

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for google-iap, version 1.0.7
Filename, size File type Python version Upload date Hashes
Filename, size google_iap-1.0.7-py2-none-any.whl (10.3 kB) File type Wheel Python version py2 Upload date Hashes View hashes
Filename, size google_iap-1.0.7-py3-none-any.whl (10.3 kB) File type Wheel Python version py3 Upload date Hashes View hashes

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page