Skip to content

Instantly share code, notes, and snippets.

@x-yuri

x-yuri/GCE: metadata-managed access permissions.md

Last active March 29, 2024 14:35
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save x-yuri/32e437b06e210523363ac26f2fa26705 to your computer and use it in GitHub Desktop.
Save x-yuri/32e437b06e210523363ac26f2fa26705 to your computer and use it in GitHub Desktop.
Download ZIP
GCE: metadata-managed access permissions
Raw
GCE: metadata-managed access permissions.md

GCE: metadata-managed access permissions

main.tf:

provider "google" {
  project = "PROJECT_ID"
}

data "google_project" "project" {}

resource "google_compute_instance" "test-ce" {
  name = "test-ce"
  machine_type = "e2-micro"
  zone = "europe-central2-a"
  boot_disk {
    initialize_params {
      image = "debian-12"
    }
  }
  network_interface {
    subnetwork = google_compute_subnetwork.test-ce.self_link
    access_config {
    }
  }
  service_account {
    email  = google_service_account.test-ce-instance.email
    scopes = ["cloud-platform"]
  }
  metadata = {
    block-project-ssh-keys = true
  }
}

resource "google_compute_network" "test-ce" {
  name = "test-ce"
  auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "test-ce" {
  name = "test-ce"
  ip_cidr_range = "10.0.0.0/20"
  region = "europe-central2"
  network = google_compute_network.test-ce.self_link
}

resource "google_compute_firewall" "test-ce-ssh" {
  name = "test-ce-ssh"
  network = google_compute_network.test-ce.self_link
  source_ranges = ["SOURCE_IP"]
  # source_ranges = ["35.235.240.0/20"]  # IAP
  allow {
    protocol = "tcp"
    ports = [22]
  }
}

resource "google_service_account_iam_member" "test-ce-token-creator" {
  service_account_id = google_service_account.test-ce.id
  role = "roles/iam.serviceAccountTokenCreator"
  member = "user:EMAIL"
}

resource "google_service_account" "test-ce-instance" {
  account_id = "test-ce-instance"
}

resource "google_service_account" "test-ce" {
  account_id = "test-ce"
}

resource "google_project_iam_member" "test-ce-instance-admin" {
  project = data.google_project.project.project_id
  role = "roles/compute.instanceAdmin.v1"
  member = "serviceAccount:${google_service_account.test-ce.email}"
}

resource "google_service_account_iam_member" "test-ce-service-account-user" {
  service_account_id = google_service_account.test-ce-instance.id
  role = "roles/iam.serviceAccountUser"
  member = "serviceAccount:${google_service_account.test-ce.email}"
}

# IAP
# resource "google_project_iam_member" "test-ce-resource-accessor" {
#   project = data.google_project.project.project_id
#   role = "roles/iap.tunnelResourceAccessor"
#   member = "serviceAccount:${google_service_account.test-ce.email}"
# }
// replace PROJECT_ID, SOURCE_IP, EMAIL
$ docker run --rm -itv "$PWD:/app" -w /app google/cloud-sdk:457.0.0-alpine
/app # gcloud auth login --update-adc
/app # apk add terraform
/app # terraform init
/app # terraform apply

/app # gcloud compute ssh me@test-ce --command 'sudo echo test' \
  --impersonate-service-account test-ce@PROJECT_ID.iam.gserviceaccount.com \
  --zone europe-central2-a --project PROJECT_ID
/app # gcloud compute ssh me@test-ce --command 'sudo echo test' \
  --tunnel-through-iap \
  --impersonate-service-account test-ce@PROJECT_ID.iam.gserviceaccount.com \
  --zone europe-central2-a --project PROJECT_ID

Assign OS Login IAM roles
Grant roles for IAP TCP forwarding
Service Account Token Creator role

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment