top | item 21842098

(no title)

dward | 6 years ago

Identity aware proxy supports SSH tunneling which means you don't need to manage a bastion.

https://cloud.google.com/iap/docs/using-tcp-forwarding#tunne...

For connecting VMs without public IPs to the outside world, Cloud NAT is the easiest answer. You could set one up yourself if you were so inclined (e.g. some forwarding rules and iptables rules on the bastion).

For ssh key distribution, there's a few options. You can store the key in Secret Manager and run your GCE VMs as a service account that has access to the key, then fetch it when pulling.

https://cloud.google.com/secret-manager/docs/

Something like:

$ ssh-add <(gcloud beta secrets versions access latest --secret=github-ssh-key)

On startup. I haven't actually tried out secret manager yet.

If you have too much time on your hands, you could rig something up with GCE vTPMs as well :)

https://cloud.google.com/blog/products/gcp/virtual-trusted-p...

discuss

jmarcher|6 years ago

SSH with IAP over TCP is dope, so is IAP in general for hiding internal websites and tools. There is still some edge case you may want a bastion (e.g. access a private GKE master). For most use cases, you are right, IAP TCP replaces the need for a bastion host. Actually, in this case, their proxy is the bastion host, but hey!

As fart as managing SSH keys, I would say: don't do it. Use OS Login instead. For cases, like automation, create a service account and use it with OS Login. It gives you a centralized way to manage SSH access (and revoke access) and sudo privileges.

https://cloud.google.com/compute/docs/oslogin/

tomlockwood|6 years ago

I'm currently using osLogin, but wondering if there's a good way to connect to private github repos from each VM. I think ssh keys are the answer for that, but I have no idea! Thanks to both of you for the info - I'll read up on all this stuff!!!

tomlockwood|6 years ago

Thank you for your advice! I'll likely end up using some of these - although I think vTPM is a little beyond me!