Skip to content

Instantly share code, notes, and snippets.

@ahkui

ahkui/gcp-start-iap-tunnel-ssh-proxy-magic.sh

Forked from netj/gcp-start-iap-tunnel-ssh-proxy-magic.sh
Last active March 27, 2026 08:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ahkui/f85a732cdd3c4077b9eaef90041a6da2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ahkui/f85a732cdd3c4077b9eaef90041a6da2 to your computer and use it in GitHub Desktop.
Download ZIP
a nifty script for accessing with native SSH your IAP allowed Compute Engine instances
Raw
readme.md

gcp-start-iap-tunnel-ssh-proxy-magic

One Off Usage:

a nifty script for accessing with native SSH (as opposed to gcloud compute ssh) your IAP allowed Compute Engine instances (even when they don't have public IPs)

bash <(curl -fgsSL bit.ly/ssh-gcp) INSTANCE_NAME  # TBD
bash <(curl -fgsSL bit.ly/ssh-gcp) INSTANCE_NAME.ZONE  # TBD
bash <(curl -fgsSL bit.ly/ssh-gcp) INSTANCE_NAME.ZONE.PROJECT
bash <(curl -fgsSL bit.ly/ssh-gcp) INSTANCE_NAME.ZONE.c.PROJECT.internal  # TBD

Setup Instructions:

  1. Download and copy the script to ~/.ssh/gcp-start-iap-tunnel-ssh-proxy-magic.sh

  2. Add the following lines to ~/.ssh/config:

# Google Cloud Compute Engine full SSH via using `gcloud compute start-iap-tunnel` as ProxyCommand
# (consider using this alongside `gcloud compute config-ssh`)
Host *.*-*-*.*
  ProxyCommand sh ~/.ssh/gcp-start-iap-tunnel-ssh-proxy-magic.sh gce_instance=%n sshuser=%r sshport=%p
  IdentityFile ~/.ssh/google_compute_engine

  1. Use the gcloud compute config-ssh --project=... command to configure ssh host aliases for Compute Engine instances.

  2. Enjoy SSH (esp. scp, rsync) for any instances allowed for IAP with no extra effort.

Synopsis:

$ scp myhost.us-west1-a.my-gcp-project:remote/path local/path
$ rsync -av myhost.us-west1-a.my-gcp-project:remote/ local/

$ ssh myhost.us-west1-a.my-gcp-project

See also:

Raw
gcp-start-iap-tunnel-ssh-proxy-magic.sh
#!/usr/bin/env bash
# ~/.ssh/gcp-start-iap-tunnel-ssh-proxy-magic.sh
# a script to be used as SSH ProxyCommand to allow fully functional SSH access to any Google Cloud Compute Engine VMs allowing IAP access
#
# Author: ahkui <[email protected]>
# Created: 2026-03-27
# See also:
# - https://gist.github.com/netj/df4f9de1fefd254ab11979be7035b5d0/#readme
# - https://cloud.google.com/iap/docs/using-tcp-forwarding
#
# Instructions:
#
# 1. Copy this script to `~/.ssh/gcp-start-iap-tunnel-ssh-proxy-magic.sh`
#
# 2. Add the following lines to `~/.ssh/config`:
#
# # Google Cloud Compute Engine full SSH via using `gcloud compute start-iap-tunnel` as ProxyCommand
# # (consider using this alongside `gcloud compute config-ssh`)
# Host *.*-*-*.*
# ProxyCommand sh ~/.ssh/gcp-start-iap-tunnel-ssh-proxy-magic.sh gce_instance=%n sshuser=%r sshport=%p
#
# 3. Use the `gcloud compute config-ssh --project=...` command to configure ssh host aliases for Compute Engine instances.
#
# 4. Enjoy SSH (esp. scp, rsync) for any instances allowed for SSM with no extra effort.
#
#
# Synopsis:
#
# $ scp myhost.us-west1-a.my-gcp-project:remote/path local/path
# $ rsync -av myhost.us-west1-a.my-gcp-project:remote/ local/
#
# $ ssh myhost.us-west1-a.my-gcp-project
#
##
type gcloud >/dev/null
declare -- "$@"
: "${gce_instance:?}" "${sshuser:=}" "${sshport:=22}"
# parse the $instance.$zone.$project host alias format used by `gcloud compute config-ssh`
# TODO support $instance w/o $zone or $project
# TODO support $instance.$zone w/o $project
# TODO support $instance.$zone.c.$project.internal format names
instance_name=${gce_instance%%.*}
project=${gce_instance##*.}
zone=${gce_instance#*.}; zone=${zone%.*}
{
[[ -f ~/.ssh/google_compute_engine."ssh-worked.${sshuser}@${project}" ]] || (
# support registering ssh key for $sshuser (cf. https://console.cloud.google.com/compute/metadata?tab=sshkeys)
gcloud --verbosity=none compute ssh --quiet --project="${project}" --zone="${zone}" --tunnel-through-iap "${sshuser}"@"${instance_name}" -- -T -o StrictHostKeyChecking=no -o BatchMode=yes -- exit
touch ~/.ssh/google_compute_engine."ssh-worked.${sshuser}@${project}"
)
} </dev/null >&2
# start the IAP tunnel
gcloud --verbosity=none compute start-iap-tunnel --listen-on-stdin --iap-tunnel-disable-connection-check \
--project="${project}" --zone="${zone}" "${instance_name}" "${sshport}"
Raw
ssh-gcp
#!/usr/bin/env bash
# ssh-gcp -- use aws-ssm-ssh-proxy-magic without having to mutate ~/.ssh/config or elsewhere
#
# Usage 1: Use this oneliner to access your IAP allowed Compute Engine instances (even when they don't have public IPs) with native SSH (as opposed to `gcloud compute ssh`):
#
# $ bash <(curl -fgsSL https://git.io/ssh-gcp) INSTANCE_NAME[.ZONE[.PROJECT]]
#
#
# Usage 2: Copy and paste the ssh-gcp function definition below into your shell directly and use ssh-gcp command:
#
# $ ssh-gcp() { ...; }
# $ ssh-gcp INSTANCE_NAME[.ZONE[.PROJECT]]
#
##
set -eu
ssh-gcp() { ssh -o ProxyCommand="bash -c 'exec bash <(curl -fgsSL https://gist.github.com/ahkui/f85a732cdd3c4077b9eaef90041a6da2/raw/gcp-start-iap-tunnel-ssh-proxy-magic.sh) gce_instance=%n sshuser=%r sshport=%p'" -o User="$(id -un)" "$@"; }
ssh-gcp "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment