A tool for to manage Identity-Aware Proxy policy google cloud platform
Project description
Allow connection to instances on multiple criteria via Identity-Aware Proxy
Installation :
pip install google-iap
Prerequisites:
The service account used must have at least the roles Compute Viewer and IAP Policy Admin
You must authorize the Identity-Aware Proxy network (35.235.240.0/20) on port 22 as input to the desired network at the firewall
Example of use :
google-iap iap get --credentials=service-account.json --project=<projectId>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=yaml
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --policy=POLICY_FILE.yaml
File example POLICY_FILE.yaml :
---
policy:
bindings:
- role: roles/iap.tunnelResourceAccessor
members:
- user:account@gmail.com
condition:
title: adm-ssh
expression: "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
File example POLICY_FILE.json :
{
"policy": {
"bindings": [
{
"role": "roles/iap.tunnelResourceAccessor",
"members": ["user:account@gmail.com"],
"condition": {
"title": "adm-ssh",
"expression": "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
}
}
]
}
}
You can show CEL expression -> https://cloud.google.com/iam/docs/conditions-overview?hl=ko#example_destination_ipport_expressions_for_cloud_iap_for_tcp_tunneling
Use :
- Ssh tunneling :
gcloud beta compute start-iap-tunnel <instance> 80 --local-host-port=localhost:8888 --network-interface=nic0 --zone=<zone>
- Ssh connection :
gcloud beta compute ssh <instance> --tunnel-through-iap --zone=<zone>
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distributions
Hashes for google_iap-1.0.4-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | e3c935d983498732b53d12561b1b2f8c067c714e7d01227d33ebd6acacec7fee |
|
MD5 | 6c04769148f6c1b77430e50ead2e5bca |
|
BLAKE2b-256 | 8856a4cefb7f5fef540e7d589e73d5cc2282a7f029cdb5243fdc3f3ac5575c80 |
Hashes for google_iap-1.0.4-py2-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | cbb8360f3e3561967e25623f271006043725fbcf7506f037ae364351bb0aebf0 |
|
MD5 | b6ce2475da2c4f37c43edb2af1938c9b |
|
BLAKE2b-256 | 9b18f75c35b3ce35176e308337bbb53384acd0b389ae7a540dd9fa11af2edca8 |