A tool for to manage Identity-Aware Proxy policy google cloud platform
Project description
Allow connection to instances on multiple criteria via Identity-Aware Proxy
Installation :
pip install google-iap
Prerequisites:
The service account used must have at least the roles Compute Viewer and IAP Policy Admin
You must authorize the Identity-Aware Proxy network (35.235.240.0/20) on port 22 as input to the desired network at the firewall
Example of use :
google-iap iap get --credentials=service-account.json --project=<projectId>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=yaml
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --policy=POLICY_FILE.yaml
File example POLICY_FILE.yaml :
---
policy:
bindings:
- role: roles/iap.tunnelResourceAccessor
members:
- user:account@gmail.com
condition:
title: adm-ssh
expression: "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
File example POLICY_FILE.json :
{
"policy": {
"bindings": [
{
"role": "roles/iap.tunnelResourceAccessor",
"members": ["user:account@gmail.com"],
"condition": {
"title": "adm-ssh",
"expression": "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
}
}
]
}
}
You can show CEL expression -> https://cloud.google.com/iam/docs/conditions-overview?hl=ko#example_destination_ipport_expressions_for_cloud_iap_for_tcp_tunneling
Use :
- Ssh tunneling :
gcloud beta compute start-iap-tunnel <instance> 80 --local-host-port=localhost:8888 --network-interface=nic0 --zone=<zone>
- Ssh connection :
gcloud beta compute ssh <instance> --tunnel-through-iap --zone=<zone>
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distributions
Hashes for google_iap-1.0.6-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2071ff4804a741adcc896562083b0df6d78492f1adb81f2b7b3ffbf9a03b0530 |
|
MD5 | 0a0896bb814891309c5c84f3a6d2f9ca |
|
BLAKE2b-256 | daf9abb765555b5b8a2ba3ba9ffe69289a61339279b6c7c0c875e4a6e7a617fa |
Hashes for google_iap-1.0.6-py2-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 76a520b120333e3b63cb1350261b0cfc5042e151379b18812a25030e304dc5e3 |
|
MD5 | 88c3dc3c2a85df77b729867be4d5488d |
|
BLAKE2b-256 | 1c155317675689975e775523d94ab57512e88ed822ad5ff7bc413573d415f7e0 |