Metadata-Version: 2.1
Name: google-iap
Version: 1.0.6
Summary: A tool for to manage Identity-Aware Proxy policy google cloud platform
Home-page: https://github.com/smehboub/google_iap
Author: Sophian Mehboub
Author-email: sophienmehboub@gmail.com
License: UNKNOWN
Platform: UNKNOWN
Classifier: Programming Language :: Python
Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
Classifier: Operating System :: POSIX :: Linux
Description-Content-Type: text/markdown
Requires-Dist: docopt
Requires-Dist: pyyaml
Requires-Dist: oauth2client
Requires-Dist: google-auth
Requires-Dist: google-api-python-client

Allow connection to instances on multiple criteria via Identity-Aware Proxy

Installation :   
```
  pip install google-iap   
```

Prerequisites:

  > The service account used must have at least the roles Compute Viewer and IAP Policy Admin     
  > You must authorize the Identity-Aware Proxy network (35.235.240.0/20) on port 22 as input to the desired network at the firewall     


Example of use :    
```
  google-iap iap get --credentials=service-account.json --project=<projectId>     

  google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone>     

  google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance>    

  google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=yaml    

  google-iap iap get --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --format=json    

  google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.json    

  google-iap iap set --credentials=service-account.json --project=<projectId> --policy=POLICY_FILE.yaml   

  google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --policy=POLICY_FILE.yaml    

  google-iap iap set --credentials=service-account.json --project=<projectId> --zone=<zone> --instance=<instance> --policy=POLICY_FILE.yaml    
```


File example POLICY_FILE.yaml :    
```
---
policy:
  bindings:
  - role: roles/iap.tunnelResourceAccessor
    members:
    - user:account@gmail.com
    condition:
      title: adm-ssh
      expression: "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"
```
File example POLICY_FILE.json :    
```
{

  "policy": {

    "bindings": [

      {

        "role": "roles/iap.tunnelResourceAccessor",

        "members": ["user:account@gmail.com"],

        "condition": {

           "title": "adm-ssh",

           "expression": "resource.name.startsWith(\"instance-name\") && resource.type == \"google.cloud.compute.Instance\" && destination.port == 22"

        }

      }

    ]

  }

}
```
You can show CEL expression -> https://cloud.google.com/iam/docs/conditions-overview?hl=ko#example_destination_ipport_expressions_for_cloud_iap_for_tcp_tunneling    

Use :    
  * Ssh tunneling :      
    ```
    gcloud beta compute start-iap-tunnel <instance> 80 --local-host-port=localhost:8888 --network-interface=nic0 --zone=<zone>    
    ```
  * Ssh connection :    
    ```
    gcloud beta compute ssh <instance> --tunnel-through-iap --zone=<zone>    
    ```



