0

I understand that App Engine instances are intended to be of limited configurability, but it is possible to access them via SSH when they're in debug mode. In this scenario, we connect to them with:

gcloud app instances ssh --project=$PROJECT --service $SERVICE --version $VERSION $INSTANCE_ID

We'd like to add Cloud IAP into the mix. Everything I've read indicates that should be completely transparent to the end point of the traffic. IAP doesn't terminate the ssh connection, it just decides if that traffic will be passed through to the destination or dropped. So our inability to alter the internal SSH configuration of the instance shouldn't be an issue. If it works now, it should work when tunneled through IAP.

But all the instructions I've found have only talked about setting this up for compute instances, and connecting with:

gcloud compute ssh --tunnel-through-iap $INSTANCE_ID

gcloud app instances ssh doesn't support the --tunnel-through-iap parameter. App Engine apps don't appear as resources in the "SSH AND TCP RESOURCES" section of the Identity-Aware Proxy admin page, only under "HTTPS RESOURCES".

Is this really not possible? And if so, why not?? If IAP is as transparent to the network traffic as it's supposed to be it shouldn't require any special support at the App Engine end.

Mike Hartman
  • 140
  • 1
  • 6
  • Are you aware that the command work only for App Engine flex? If you, you have to know that App Engine flex has been released many years before IAP, and I guess it's not compliant. – guillaume blaquiere Sep 12 '21 at 19:10
  • 1
    I submitted a [feature request](https://issuetracker.google.com/199698964) for you. Other customers are asking for this feature request as well. There's no guarantee on how long is the ETA of the feature, but you can monitor the progress on that link. Please click +1 to indicate that you are affected. – Mabel A. Sep 13 '21 at 09:05

0 Answers0