Update firewall rules from inside instance

[Anders Brown]

Is there a way for an instance to update a firewall rule without granting it all rights of a project maintainer? 

I'm looking for a way for mobile users to selectively open a port on the firewall only as needed. Authentication credentials would be stored on the instance in encrypted form, to which the remote user would provide a key that's not stored anywhere on the instance.

While this could be done (and has been done) with iptables, I'd much prefer to have this layer of protection at the Google firewall level.

[Carlos (Cloud Platform Support)]

Hi Anders,

I do not fully understand your use case but the IAM roles associated with project accounts can certainly be limited.  In particular the security admin role will let an account manage firewall rules and certificates.  As an example you could define a service account with limited scopes and authenticate gcloud with it.  Bear in mind that once authenticated, gcloud could be used to delete/created and modify firewall rules but also SSL certificates. You can certainly run gcloud inside a script to dynamically administer  resources in your project. 

[Anders Brown]

Thanks for your reply, Carlos.

The use case is to allow mobile team members to have a script or app on their laptops that would authenticate to some service on the instance, which will open a firewall port for their current IP exclusively, so a VPN can be established.

Previously I did this with iptables, but the advantage of the GCE firewall is it can be maintained from the Cloud Console, so there's less risk of locking oneself out.