How to SSH/SCP from Cloud Build thru IAP Tunnel?
I need to execute commands on my Compute Engine VM. We need an initial setup for the SQL and the plan is to use cloud build (will only be triggered once) for this; IAP is implemented and Firewall rule is already in place. (Allow TCP 22 from 35.235.240.0/20)
This is my build step:
# Setup Cloud SQL
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
id: 'Setup Cloud SQL Tables'
entrypoint: 'bash'
args:
- -c
- |
echo "Upload File to $_SQL_JUMP_BOX_NAME" &&
gcloud compute scp --recurse cloud-sql/setup-sql.sh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME:~" &&
echo "SSH to $_SQL_JUMP_BOX_NAME" &&
gcloud compute ssh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME" --project "$_TARGET_PROJECT_ID" --command="chmod +x setup-sql.sh && ./setup-sql.sh"
I am receiving this error:
root@compute.3726515935009049919: Permission denied (publickey).
WARNING:
To increase the performance of the tunnel, consider installing NumPy. For instructions,
please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the_tcp_upload_bandwidth
root@compute.3726515935009049919: Permission denied (publickey).
ERROR: (gcloud.compute.scp) Could not SSH into the instance. It is possible that your SSH key has not propagated to the instance yet. Try running this command again. If you still cannot connect, verify that the firewall and instance are set to accept ssh traffic.
This will also be triggered/executed to multiple environments, hence we use cloud build for reusability.
Solution
Already working! I stumbled upon this blog -- https://hodo.dev/posts/post-14-cloud-build-iap/
Made changes on my script, need to specify user on SCP/SSH command:
Working Script/Step:
# Setup Cloud SQL
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
id: 'Setup Cloud SQL Tables'
entrypoint: 'bash'
args:
- -c
- |
echo "Upload File to $_SQL_JUMP_BOX_NAME" &&
gcloud compute scp --recurse cloud-sql/setup-sql.sh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME:~ &&
echo "SSH to $_SQL_JUMP_BOX_NAME" &&
gcloud compute ssh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME --project "$_TARGET_PROJECT_ID" --command="chmod +x setup-sql.sh && ./setup-sql.sh"
Need changes related to the destination VM
Before: gcloud compute ssh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME"
After: gcloud compute ssh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME
- How to set a custom uid inside firebase authentication
- Where is the "user created" event on Firebase Functions V2?
- Why does Google Cloud Storage freeze when I try to upload a large folder (2.5GB of images)?
- How to get a GCP identity-token programmatically with python
- How to route dead letter messages back to the original topic?
- Unable to delete collection from the firestore console
- Is there an API to list all google compute regions
- Error "address already in use" when trying to connect to google cloud SQL using cloud-sql-connector
- In Google Cloud console, safe to grant Firebase Admin SDK role to default compute service account?
- Docker connection issues on Compute Engine
- Generate CSR using the private key store on Google HSM
- download file from google cloud compute instance
- Does Cloud Run supports HTTP streaming?
- Create a dashboard graph with data points in logs
- Getting "Configuration is not authorized" error while deploying GCP Vertex AI Agent on App Engine
- Firebase: maintain user lookup table in GCP
- How to properly assign publisher and subscriber roles to a dead-letter topic using terraform
- Stuck on complying with domain verification requirements
- BigQuery Arrays - check if Array contains specific values
- Which GPU should I use on Google Cloud Platform (GCP)
- Unable to upload file to gdrive using gdrive api with service account
- Persistent Disk SSD (GB) quota related to ZONE_RESOURCE_POOL_EXHAUSTED?
- The location for this project is already set to another value In firebase Storage console
- Error 400: invalid_request for iOS google Sign in
- Handling a Cloud Run container shutdown
- Stripe Error: No signatures found matching the expected signature for payload
- What are the implications of using the select() query on a large Firestore doc versus splitting the data between multiple docs?
- VueJS + Firebase How do I display an image?
- BigQuery Policy Tags: possible as infra as code?
- Sending test events using curl to gcp subscription got 502 error