CODEWITHSUNDEEP
google-cloud-platformgoogle-compute-enginegoogle-cloud-buildssh-tunnelcloudbuild.yaml
cypher15
cypher15

Reputation: 134

How to SSH/SCP from Cloud Build thru IAP Tunnel?

I need to execute commands on my Compute Engine VM. We need an initial setup for the SQL and the plan is to use cloud build (will only be triggered once) for this; IAP is implemented and Firewall rule is already in place. (Allow TCP 22 from 35.235.240.0/20)

This is my build step:

# Setup Cloud SQL
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    id: 'Setup Cloud SQL Tables'
    entrypoint: 'bash'
    args: 
      - -c
      - |
        echo "Upload File to $_SQL_JUMP_BOX_NAME" &&
        gcloud compute scp --recurse cloud-sql/setup-sql.sh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME:~" &&
        echo "SSH to $_SQL_JUMP_BOX_NAME" &&
        gcloud compute ssh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME" --project "$_TARGET_PROJECT_ID" --command="chmod +x setup-sql.sh && ./setup-sql.sh"

I am receiving this error:

[email protected]: Permission denied (publickey).
WARNING: 

To increase the performance of the tunnel, consider installing NumPy. For instructions,
please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the_tcp_upload_bandwidth

[email protected]: Permission denied (publickey).
ERROR: (gcloud.compute.scp) Could not SSH into the instance.  It is possible that your SSH key has not propagated to the instance yet. Try running this command again.  If you still cannot connect, verify that the firewall and instance are set to accept ssh traffic.

Error

This will also be triggered/executed to multiple environments, hence we use cloud build for reusability.

Upvotes: 1

Views: 2407

Answers (1)

cypher15
cypher15

Reputation: 134

Already working! I stumbled upon this blog -- https://hodo.dev/posts/post-14-cloud-build-iap/

Made changes on my script, need to specify user on SCP/SSH command:

Working Script/Step:

# Setup Cloud SQL
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    id: 'Setup Cloud SQL Tables'
    entrypoint: 'bash'
    args: 
      - -c
      - |
        echo "Upload File to $_SQL_JUMP_BOX_NAME" &&
        gcloud compute scp --recurse cloud-sql/setup-sql.sh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME:~ &&
        echo "SSH to $_SQL_JUMP_BOX_NAME" &&
        gcloud compute ssh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME --project "$_TARGET_PROJECT_ID" --command="chmod +x setup-sql.sh && ./setup-sql.sh"

Need changes related to the destination VM

Before: gcloud compute ssh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME"

After: gcloud compute ssh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME

Upvotes: 2

Related Questions