一个管理身份感知代理策略的工具google云平台
google-iap的Python项目详细描述
允许通过身份感知代理连接到多个条件下的实例
安装:
pip install google-iap
先决条件:
The service account used must have at least the roles Compute Viewer and IAP Policy Admin
You must authorize the Identity-Aware Proxy network (35.235.240.0/20) on port 22 as input to the desired network at the firewall
使用示例:
google-iap iap get --credentials=service-account.json --project=<projectId>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance>
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=yaml
google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.json
google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --policy=POLICY_FILE.yaml
google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --policy=POLICY_FILE.yaml
文件示例policy_file.yaml:
---
policy:
bindings:
- role: roles/iap.tunnelResourceAccessor
members:
- user:account@gmail.com
condition:
title: adm-ssh
expression: "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
文件示例policy_file.json:
{
"policy": {
"bindings": [
{
"role": "roles/iap.tunnelResourceAccessor",
"members": ["user:account@gmail.com"],
"condition": {
"title": "adm-ssh",
"expression": "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
}
}
]
}
}
您可以显示cel表达式->;https://cloud.google.com/iam/docs/conditions-overview?hl=ko#example_destination_ipport_expressions_for_cloud_iap_for_tcp_tunneling
使用:
- ssh隧道:
gcloud beta compute start-iap-tunnel <instance> 80 --local-host-port=localhost:8888 --network-interface=nic0 --zone=<zone>
- ssh连接:
gcloud beta compute ssh <instance> --tunnel-through-iap --zone=<zone>