GCP Tunnel through IAP

I am required to tunnel through IAP with service account credentials.

I have overridden my ssh binary, ‘ssh_executable=script.sh’, creating a ‘gcloud compute ssh xxxx —tunnel-through-iap’ wrapper, where I regex ssh arguments into the gcloud command.

For tunneling to work I must
1. Run my playbook with my instance IP in the hosts variable of my playbook
2. Hardcode my compute instance hostname for my ssh wrapper connection.
3. This always makes an initial connection but always fails to run the command. No matter my regex there is always extra “, ‘ or something.
4. Comment out my ‘ssh_execution’ wrapper overriding in ansible.cfg
5. Run my playbook again which runs successfully.

Running the playbook with the gcp plugin will only list available instances but will never ssh successfully without a previously opened gcloud session.

Say, did you ever find a better solution here? Because I’ve run into the same problem recently, and…well, it’s ugly.

I saw that this ticket had been filed against Ansible:

https://github.com/ansible/ansible/issues/66310

…but was auto-closed by ansibot when all this stuff got moved to the GCP collection. So I’ve filed my own feature request against that repo:

https://github.com/ansible-collections/google.cloud/issues/373

We’ll see if anybody picks it up over there. My sense is that a number of folks have had the Ansible-over-IAP problem; one of these days, GCP really ought to support a proper solution…

Hi,

Just gave some directions in the issue on github to make it work

Regards,

JYL