Configured Google Cloud Identity Aware Proxy for the application. So far, I can ssh to it no problem, as long as I am not using corporate proxy. Tried over proxy (with IAP endpoint being in 'allow' list in corporate proxy), but it failed with SSL CERTIFICATE error.
Errors:
...
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 853, in _create
self.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
INFO: Error during WebSocket processing:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
INFO: Client closed connection from [stdin].
DEBUG: (gcloud.compute.start-iap-tunnel) Error while connecting [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)].
Traceback (most recent call last):
File "/usr/local/Caskroom/google-cloud-sdk/latest
...
Has anyone succeeded in configuring corporate proxy for IAP? If yes, what configuration would you think is needed to get it working?
Thanks so much in advance!!
Answering my own question:
Yes, a proxy can be configured to access IAP endpoint nodes.
Steps:
Ask your friendly proxy admins to add the following to allow list:
wss://tunnel.cloudproxy.app
Configure your current GCLOUD_SDK environment
$ gcloud config set proxy/type http
Updated property [proxy/type].
Make sure you have correct SSL Certs installed on your workstation. You can configure
GCLOUD_SDKto use your certs using the following command:gcloud config set custom_ca_certs_file /Users/user01/gce/certs/corpcerts.pem
Next you can go ahead and issue
'gcloud ssh'command with--tunnel-through-iapto connect to your node.