gsutil from instances without public IP

Vinay Y S

unread,

Jul 19, 2014, 11:01:21 AM7/19/14

to gce-dis...@googlegroups.com

Using gsutil I'm able to list buckets from an instance with public ip address but not from an instance with only private ip. Is gsutil not supposed to work from instances without public ip or am I doing something wrong?

Thanks,

Vinay

Evan Anderson

unread,

Jul 19, 2014, 1:51:50 PM7/19/14

to Vinay Y S, gce-dis...@googlegroups.com

At the moment, you need outbound internet access to interact with other Google services from a GCE instance. There are several ways to achieve outbound internet connectivity from an instance:

1) Use an instance with a public IP address. You can configure the instance to reject all incoming traffic by ensuring that there are no firewall rules that allow traffic to that instance.

2) Use another instance as an explicit proxy. You can either use a SOCKS5 or an HTTP proxy; in either case, you'll need to make explicit configuration changes to the machine with the private IP address, as well as installing software on the proxy machine. Here is an example for setting up an HTTP proxy:

https://developers.google.com/compute/docs/networking#proxyvm

3) Use another instance as a transparent proxy (via NAT or VPN to your corporate network, for example). The benefit of using a transparent proxy is that you don't need to make any configuration changes to the machine with the private IP address. The disadvantage is that it can sometimes be harder to troubleshoot problems if they occur. Here is documentation for setting up a transparent proxy:

https://developers.google.com/compute/docs/networking#natgateway

--
© 2014 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/170b2215-d189-4bd6-b133-627c9df81272%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Evan Anderson <arg...@google.com>

Vinay Y S

unread,

Jul 21, 2014, 10:30:25 AM7/21/14

to Evan Anderson, gce-dis...@googlegroups.com

On Sat, Jul 19, 2014 at 11:21 PM, Evan Anderson <arg...@google.com> wrote:

2) Use another instance as an explicit proxy. You can either use a SOCKS5 or an HTTP proxy; in either case, you'll need to make explicit configuration changes to the machine with the private IP address, as well as installing software on the proxy machine. Here is an example for setting up an HTTP proxy:

On a newly launched vanilla debian 7 image, I've exported http_proxy env variable pointing to a internet proxy in my network.

The instance has been launched with devstorage.read_only scope and a service account. Now, when I run gsutil on this box, it says to run gcloud auth login. Shouldn't it simply discover the configured service account credentials automatically from metadata server?