Created
March 4, 2020 19:45
-
-
Save alsunseri/441fc86b19108f430bd55bf5c9e8002e to your computer and use it in GitHub Desktop.
SSH from GCP Cloud Shell to GCP vm instance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| How to ssh from google cloudshell to google GCP VM instances | |
| - even instances with blocked ssh and instances with no public IP address | |
| Why is this different than using ssh from any other terminal? | |
| A. The IP address of the cloudshell is not known in advance and the ranges are not published. | |
| B. Changes to the /root/.ssh folder will be lost when the instance stops. | |
| C. There is no way to add a tag to the cloudshell | |
| D. The cloudshell has no Service Account but uses the identity of the person logging into the GCP web cloud console. | |
| E. Tm GCP VM might not even have a public IP address and might be in a different subnet. | |
| These 2 steps seems to work great to allow SSH access FROM the cloudshell TO your GCP VMs: | |
| 1. Allow ssh from this source range: 35.235.240.0/20 in a VPC firewall rule and attach that rule to the VM instance . | |
| ( this seems to be the netblock range for GCP cloudshell vms ) | |
| 2 run this command in the cloudshell as whatever user ( including root ) | |
| root@cloudshell:~ (some-project)$ gcloud compute ssh scanner --tunnel-through-iap | |
| ( this will use the identity-aware-proxy ) | |
| I took this partially from here: | |
| https://stackoverflow.com/questions/57024031/gcp-open-firewall-only-to-cloud-shell | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment