Developing on remote VM via VSCode using Google Cloud’s IAP
Using Google Cloud’s Identity-Aware Proxy allows you to connect to your VM without an external IP through HTTPS and TCP proxy instead of exposing your service to the internet or unprotected internal network. But how we can access VM and edit code remotely using external SSH tools like VSCode?
The ingredients
I assume that you have VSCode already installed, in order to enable the remote developing and editing using SSH, you need to install the remote-SSH extension, a great option if you want to bring your remote environment on your local machine.
I’v created a simple VM without an external IP, this will be our target machine on GCP:
The only solution to establish an SSH connection to our VM without an external IP is by using the --tunnel-through-iap with the gcloud command, click on “View glcoud cmmand” then press “Run in cloud shell”:
gcloud compute ssh --zone "europe-west1-b" "instance-1" --tunnel-through-iap --project "unique-bonbon-225516"
Now, let’s try to establish an SSH connection from your local machine, first of all you will need to install the Google Cloud SDK, verify your installation by entering:
gcloud version
Last thing before moving to the main subject, you have to authenticate:
gcloud auth login
Google SDK will ask you to select the account and allow access:
As we can see, you can access your GCP resources from your local machine, now we have the ingredients but not yet the recipe ;),
The recipe
Let’s try to SSH to our VM, but with adding an additional option and the username:
gcloud beta compute ssh --zone "europe-west1-b" "safwenebenaich@instance-1" --tunnel-through-iap --project "unique-bonbon-225516" --dry-run
This command will not prompt an SSH session, but will display the command running behind the “gcloud compute ssh”, so you need to have something similar to, assuming i’m using a Windows OS:
gcloud beta compute ssh --zone "europe-west1-b" "safwenebenaich@instance-1" --tunnel-through-iap --project "unique-bonbon-225516" --dry-run
C:\Users\...\AppData\Local\Google\Cloud-SDK\google-cloud-sdk\bin\sdk\putty.exe -t -i C:\Users\...\.ssh\google_compute_engine.ppk -proxycmd "C:\\Users\\...\\AppData\\Local\\Google\\Cloud-SDK\\google-cloud-sdk\\bin\\..\\platform\\bundledpython\\python.exe" "-S" "C:\\Users\\...\\AppData\\Local\\Google\\Cloud-SDK\\google-cloud-sdk\\lib\\gcloud.py" beta compute start-iap-tunnel instance-1 %port --listen-on-stdin --project=unique-bonbon-225516 --zone=europe-west1-b --verbosity=warning safwenebenaich@compute.2025341879853780751
The idea behind is to create a new entry on your .ssh/config file based on the output, press Ctrl-P
then selectsconfigure SSH Hosts…
:
Save your config, press Ctrl-P
and select your host.
One last thing, there are some problems you may face while setting up the environment:
- During the SDK installation for windows users, try to avoid spaces while choosing the folder location, “Cloud-SDK” instead of “Cloud SDK”.
- In some cases, you can get port issue, try to replace the %port in the Proxycommand by %p.
- On your SSH config file, the ProxyCommand, you need to provide the full path for your binaries, that’s why in my example, you can see C:/…/python.exe instead of using just python.exe command, this is will not work, more information here.
- If you are changing the username, you have to execute the gcloud compute ssh command on your local machine without the dry-run option in order to generate your SSH key.
- Do not forget to check your gcloud authentication.
Now you have everything you need to do great work, no more excuses !