How to SSH/SCP from Cloud Build thru IAP Tunnel?

Question

I need to execute commands on my Compute Engine VM. We need an initial setup for the SQL and the plan is to use cloud build (will only be triggered once) for this; IAP is implemented and Firewall rule is already in place. (Allow TCP 22 from 35.235.240.0/20)

This is my build step:

# Setup Cloud SQL
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    id: 'Setup Cloud SQL Tables'
    entrypoint: 'bash'
    args: 
      - -c
      - |
        echo "Upload File to $_SQL_JUMP_BOX_NAME" &&
        gcloud compute scp --recurse cloud-sql/setup-sql.sh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME:~" &&
        echo "SSH to $_SQL_JUMP_BOX_NAME" &&
        gcloud compute ssh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME" --project "$_TARGET_PROJECT_ID" --command="chmod +x setup-sql.sh && ./setup-sql.sh"

I am receiving this error:

root@compute.3726515935009049919: Permission denied (publickey).
WARNING: 

To increase the performance of the tunnel, consider installing NumPy. For instructions,
please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the_tcp_upload_bandwidth

root@compute.3726515935009049919: Permission denied (publickey).
ERROR: (gcloud.compute.scp) Could not SSH into the instance.  It is possible that your SSH key has not propagated to the instance yet. Try running this command again.  If you still cannot connect, verify that the firewall and instance are set to accept ssh traffic.

This will also be triggered/executed to multiple environments, hence we use cloud build for reusability.

Study this builder (run-builder.sh) for details on setting up a temporary SSH key: https://github.com/GoogleCloudPlatform/cloud-builders-community/tree/master/remote-builder — John Hanley, Jul 04 '22 at 17:58
I deleted my post on the stackexchange; since users are more active here. I'll read about the builder you linked above. Thanks a lot. — cypher15, Jul 04 '22 at 18:21

score 2 · Accepted Answer · answered Jul 04 '22 at 19:11

Already working! I stumbled upon this blog -- https://hodo.dev/posts/post-14-cloud-build-iap/

Made changes on my script, need to specify user on SCP/SSH command:

Working Script/Step:

# Setup Cloud SQL
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    id: 'Setup Cloud SQL Tables'
    entrypoint: 'bash'
    args: 
      - -c
      - |
        echo "Upload File to $_SQL_JUMP_BOX_NAME" &&
        gcloud compute scp --recurse cloud-sql/setup-sql.sh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME:~ &&
        echo "SSH to $_SQL_JUMP_BOX_NAME" &&
        gcloud compute ssh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME --project "$_TARGET_PROJECT_ID" --command="chmod +x setup-sql.sh && ./setup-sql.sh"

Need changes related to the destination VM

Before: gcloud compute ssh --tunnel-through-iap --zone $_ZONE "$_SQL_JUMP_BOX_NAME"

After: gcloud compute ssh --tunnel-through-iap --zone $_ZONE cloudbuild@$_SQL_JUMP_BOX_NAME

How to SSH/SCP from Cloud Build thru IAP Tunnel?

1 Answers1

Working Script/Step:

Linked