A tool for to manage Identity-Aware Proxy policy google cloud platform
Project description
Allow connection to instances on multiple criteria via Identity-Aware Proxy
Installation :
pip install google-iap
Prerequisites:
The service account used must have at least the roles Compute Viewer and IAP Policy Admin
You must authorize the Identity-Aware Proxy network (35.235.240.0/20) on port 22 as input to the desired network at the firewall
Example of use :
google-iap iap get --credentials=service-account.json --project=<projectId>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=yaml
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --policy=POLICY_FILE.yaml
File example POLICY_FILE.yaml :
---
policy:
bindings:
- role: roles/iap.tunnelResourceAccessor
members:
- user:account@gmail.com
condition:
title: adm-ssh
expression: "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
File example POLICY_FILE.json :
{
"policy": {
"bindings": [
{
"role": "roles/iap.tunnelResourceAccessor",
"members": ["user:account@gmail.com"],
"condition": {
"title": "adm-ssh",
"expression": "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
}
}
]
}
}
You can show CEL expression -> https://cloud.google.com/iam/docs/conditions-overview?hl=ko#example_destination_ipport_expressions_for_cloud_iap_for_tcp_tunneling
Use :
- Ssh tunneling :
gcloud beta compute start-iap-tunnel <instance> 80 --local-host-port=localhost:8888 --network-interface=nic0 --zone=<zone> - Ssh connection :
gcloud beta compute ssh <instance> --tunnel-through-iap --zone=<zone>
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
No source distribution files available for this release.See tutorial on generating distribution archives.
Built Distributions
Close
Hashes for google_iap-1.0.3-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cece398793ca250c66ac7f92b825bd3f4c135254ed837b514c04a80bedf6f826 |
|
| MD5 | 4ca6c6daf9239d7682906424eb4ff241 |
|
| BLAKE2b-256 | 82a9fe4db1663e1607b5151aec7d8433d7af2da3cab9eba043e8fb9d0a2a4576 |
Close
Hashes for google_iap-1.0.3-py2-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | cf2716dd5da7c501b1da173f536d93390e9ff573bb6e7bf118f46ad80789b906 |
|
| MD5 | a644b3e1a9b7dedc95686b8c771ac9cd |
|
| BLAKE2b-256 | 5e00c430dd1c06a2c99ff2e8eb8f560c55efc751a9e32c3e6feb8e22dc5d1295 |
