A tool for to manage Identity-Aware Proxy policy google cloud platform
Project description
Allow connection to instances on multiple criteria via Identity-Aware Proxy
Installation :
pip install google-iap
Prerequisites:
The service account used must have at least the roles Compute Viewer and IAP Policy Admin
You must authorize the Identity-Aware Proxy network (35.235.240.0/20) on port 22 as input to the desired network at the firewall
Example of use :
google-iap iap get --credentials=service-account.json --project=<projectId>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=yaml
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --policy=POLICY_FILE.yaml
File example POLICY_FILE.yaml :
---
policy:
bindings:
- role: roles/iap.tunnelResourceAccessor
members:
- user:account@gmail.com
condition:
title: adm-ssh
expression: "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
File example POLICY_FILE.json :
{
"policy": {
"bindings": [
{
"role": "roles/iap.tunnelResourceAccessor",
"members": ["user:account@gmail.com"],
"condition": {
"title": "adm-ssh",
"expression": "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
}
}
]
}
}
You can show CEL expression -> https://cloud.google.com/iam/docs/conditions-overview?hl=ko#example_destination_ipport_expressions_for_cloud_iap_for_tcp_tunneling
Use :
- Ssh tunneling :
gcloud beta compute start-iap-tunnel <instance> 80 --local-host-port=localhost:8888 --network-interface=nic0 --zone=<zone>
- Ssh connection :
gcloud beta compute ssh <instance> --tunnel-through-iap --zone=<zone>
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distributions
Hashes for google_iap-1.0.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | cece398793ca250c66ac7f92b825bd3f4c135254ed837b514c04a80bedf6f826 |
|
MD5 | 4ca6c6daf9239d7682906424eb4ff241 |
|
BLAKE2b-256 | 82a9fe4db1663e1607b5151aec7d8433d7af2da3cab9eba043e8fb9d0a2a4576 |
Hashes for google_iap-1.0.3-py2-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | cf2716dd5da7c501b1da173f536d93390e9ff573bb6e7bf118f46ad80789b906 |
|
MD5 | a644b3e1a9b7dedc95686b8c771ac9cd |
|
BLAKE2b-256 | 5e00c430dd1c06a2c99ff2e8eb8f560c55efc751a9e32c3e6feb8e22dc5d1295 |