This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Condition to limit roles/iap.tunnelResourceAccessor to a particular endpoint

Posted on 09-10-2024 09:53 AM
gnezdo
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I want to limit an account to accessing a limited set of tcp ports inside my project over IAP. `roles/iap.tunnelResourceAccessor` with a condition seems to a way to do this. What I can't figure out is what the condition should look like.

When I have this in`gcloud projects get-iam-policy PROJ`:

- members:
- user:myid@gmail.com
role: roles/iap.tunnelResourceAccessor

Then I can connect successfully, as tested by
gcloud compute start-iap-tunnel "intended-vm" 22 --verbosity=debug --project=PROJ --zone=us-central1-a

Sadly the user can also connect to every other ip/port in the project which I do not want to be possible.

So I start guessing at conditions as I couldn't find any documentation about the specific resource/permission conditions. I try adding this:

- condition:
expression: resource.name == "projects/PROJ/zones/us-central1-a/instances/intended-vm:22"
title: Ssh only
members:
- user:myid@gmail.com
role: roles/iap.tunnelResourceAccessor

The condition prevents any access attempt, so I didn't guess right.

DEBUG: Running [gcloud.compute.start-iap-tunnel] with arguments: [--project: "PROJ", --verbosity: "debug", --zone: "us-central1-a", INSTANCE_NAME: "intended-vm", INSTANCE_PORT: "22"]
Picking local unused port [47662].

Testing if tunnel connection works.
DEBUG: [-1] user-agent [gcloud/491.0.0 command/gcloud.compute.start-iap-tunnel invocation-id/7505cace07cf4ddd8e48da5412912c69 environment/None environment-version/None client-os/OPENBSD client-os-ver/7.6 client-pltf-arch/x86_64 interactive/True from-script/False python/3.11.9 term/dumb (OpenBSD 7.6)]
DEBUG: credentials type for _GetAccessTokenCallback is [<googlecloudsdk.core.credentials.google_auth_credentials.Credentials object at 0x846dfcabc10>].
DEBUG: [-1] Using new websocket library
INFO: [-1] Connecting with URL ['wss://tunnel.cloudproxy.app/v4/connect?project=PROJ&port=22&newWebsocket=True&zone=us-central1-a&instance=intended-vm&interface=nic0']
INFO: [-1] Received WebSocket Close message [4033: 'not authorized'].
DEBUG: Starting new HTTPS connection (1): compute.googleapis.com:443
DEBUG: https://compute.googleapis.com:443 "GET /compute/v1/projects/PROJ/zones/us-central1-a/instances/intended-vm?alt=json HTTP/1.1" 200 None
DEBUG: (gcloud.compute.start-iap-tunnel) While checking if a connection can be made: Error while connecting [4033: 'not authorized'].

To add a bit more, I did try to not specify the port number, it fails the same way when I use

resource.name == "projects/PROJ/zones/us-central1-a/instances/intended-vm"

Hence my questions:
* What's the right condition to limit the user to a single IP endpoint?
* Where can I find comprehensive documentation about this?

0 0 260
Topic Labels
0 Likes
0 REPLIES 0
Top Labels in this Space
Top Solution Authors
View all