Best way to connect to GCE by ssh from a bastion
407 views
Skip to first unread message
mldmld1968
Sep 26, 2018, 3:38:05 PM9/26/18
to gce-dis...@googlegroups.com
Hi all,
I would like to know what is the best way to connect by SSH to many GCE from a bastion.
A bastion is a GCE which log the screen of every ssh session to another GCE.
The standard way is to copy a public ssh key to all remote GCE and keep the private key on the bastion.
But is it possible to automate this using the GCP API ? Or use metadata or IAM to inject the public key dynamicaly ?
Thank you
Best regards
Justin Reiners
Sep 26, 2018, 3:47:21 PM9/26/18
to mldml...@gmail.com, gce-discussion
You might be able to take your bastion's user ssh key or generate another, and add it to authorized keys in google cloud? Maybe add it to sshkeys of the instances it needs to connect to using gcloud api?
project wide add example:
project wide add example:
gcloud compute project-info add-metadata --metadata-from-file ssh-keys=[LIST_PATH]
if you need to add it to all of your instances using something like:
gcloud compute instances list | cut -f0 -d " " | while read line; do gcloud compute instances add-metadata $line --metadata-from-file ssh-keys=/path/to/key.rsa
gcloud compute instances list | cut -f0 -d " " | while read line; do gcloud compute instances add-metadata $line --metadata-from-file ssh-keys=/path/to/key.rsa
or add a key project wide:
more info can be found here > or hit me up, this sounds doable. https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/CAGevLsNrkgfsKvE4CxSW1ha0u1E327DkUD4BGhq0hHNWw0z3SQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Jason
Sep 26, 2018, 8:59:31 PM9/26/18
to gce-discussion
You can follow the instructions provided from our public documentation that gives step by step directions on how you can connect to GCE instances from a bastion [1]. Following this method, you do not have to copy the public SSH keys to all remote GCE instances.
mldmld1968
Sep 27, 2018, 1:50:46 PM9/27/18
to gce-dis...@googlegroups.com
Hi,
Thank you for all the suggestions..
Justin,
I tried to setup a public ssh-key at the project level, but I'm unable to make it work, I can't ssh a GCE from another one with the private key.
The key is visible at the console, but I can't see how the target server take the key into account.
curl -H'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/project/attributes/ssh-keys/
returns a 404.
Jason,
it's very interresting, but it does not work as I expect.
I have
- a host project sharing VPCs. Theses VPCs all use a Palo Alto Firewall GCP appliance as default GW. This FW filter trafic between GCP and our on premise datacenter
- the VM Bastion is connected to one of the shared VPC called the Management VPC
- a target VM : instance-1 is connected to another shared VPC called the developpment VPC
- there are other shared VPC like production VPC, still using Palot Alto FW GCP appliance as default GW
- the VPC are not peered
1. The command to enter from the bastion is : gcloud beta compute ssh instance-1 --internal-ip
But it answers : The resource 'projects/pocbastion-xxxxx/zones/europe-west1-b/instances/instance-1' was not found
==> We have a GCP project for each application in GCP and there is only one bastion. So gcloud beta compute ssh command should allow to specify the GCP project of the target server
2. Our VPC are not peered for network isolation, so this way is not applicable in our case.
Thanks
MLD
--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/70239b99-eba2-4e31-aa0b-1a4a6b71b2c7%40googlegroups.com.
Larbi (Google Cloud Support)
Sep 27, 2018, 6:59:45 PM9/27/18
to gce-dis...@googlegroups.com
Hi,
If the Guest environment is installed and all the Google daemon are running, from inside any instance you can SSH to other instances if they are in same zone just by using the gcloud command :
gcloud beta compute ssh [instance name] --zone [zone]The guest environment is responsible to authenticate you and copy your ssh key. just specify the instance name and the zone
Reply all
Reply to author
Forward
0 new messages