google.cloud.iap connection – connect via SSH through Google Cloud’s Identity Aware Proxy (IAP)

Note

This connection plugin is part of the google.cloud collection (version 1.8.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install google.cloud.

To use it in a playbook, specify: google.cloud.iap.

Synopsis

  • This connection plugin behaves almost like the stock SSH plugin, but it creates a new IAP process per host in the inventory so connections are tunneled through it.

Parameters

Parameter

Comments

control_path

string

This is the location to save SSH’s ControlPath sockets, it uses SSH’s variable substitution.

Be aware that this setting is ignored if -o ControlPath is set in ssh args.

Configuration:

  • INI entry:

    [ssh_connection]
control_path = VALUE

  • Environment variable: ANSIBLE_SSH_CONTROL_PATH

  • Variable: ansible_control_path

control_path_dir

string

This sets the directory to use for ssh control path if the control path setting is null.

Also, provides the ``%(directory)s`` variable for the control path setting.

Default: "~/.ansible/cp"

Configuration:

  • INI entry:

    [ssh_connection]
control_path_dir = ~/.ansible/cp

  • Environment variable: ANSIBLE_SSH_CONTROL_PATH_DIR

  • Variable: ansible_control_path_dir

gcloud_access_token_file

string

A file to read the access token from.

The credentials of the active account (if exists) will be ignored.

Configuration:

gcloud_account

string

Google cloud account to use for invocation.

Configuration:

  • INI entry:

    [gcloud]
account = VALUE

  • Environment variable: CLOUDSDK_CORE_ACCOUNT

  • Variable: ansible_gcloud_account

gcloud_configuration

string

If set, points to non-standard gcloud configuration.

Configuration:

gcloud_executable

string

Path to the gcloud executable, defaults to whatever is found in the PATH environment variable.

Configuration:

  • INI entry:

    [gcloud]
executable = VALUE

  • Variable: ansible_gcloud_executable

gcloud_project

string

The Google Cloud project ID to use for this invocation.

If omitted, then the current active project is assumed.

Configuration:

  • INI entry:

    [gcloud]
project = VALUE

  • Environment variable: CLOUDSDK_CORE_PROJECT

  • Variable: ansible_gcloud_project

gcloud_zone

string

The Google Cloud zone to use for the instance(s).

Configuration:

  • INI entry:

    [gcloud]
zone = VALUE

  • Environment variable: CLOUDSDK_COMPUTE_ZONE

  • Variable: ansible_gcloud_zone

host

string

Google Cloud instance name to connect to.

Default: "inventory_hostname"

Configuration:

  • Variable: inventory_hostname

  • Variable: ansible_host

  • Variable: ansible_gcloud_host

host_key_checking

boolean

Determines if SSH should reject or not a connection after checking host keys.

Choices:

  • false ← (default)

  • true

Configuration:

  • INI entries:

    [defaults]
host_key_checking = false

    [ssh_connection]
host_key_checking = false

  • Environment variable: ANSIBLE_HOST_KEY_CHECKING

  • Environment variable: ANSIBLE_SSH_HOST_KEY_CHECKING

  • Variable: ansible_host_key_checking

  • Variable: ansible_ssh_host_key_checking

known_hosts_file

string

Path to the UserKnownHosts file storing SSH fingerprints. Defaults to the same file used by `gcloud compute ssh`

Default: "~/.ssh/google_compute_known_hosts"

Configuration:

  • INI entry:

    [ssh_connection]
known_hosts_file = ~/.ssh/google_compute_known_hosts

  • Variable: ansible_known_hosts_file

  • Variable: ansible_ssh_known_hosts_file

password

string

Authentication password for the remote_user. Can be supplied as CLI option.

Configuration:

  • Variable: ansible_password

  • Variable: ansible_ssh_pass

  • Variable: ansible_ssh_password

password_mechanism

string

Mechanism to use for handling ssh password prompt

Choices:

  • "ssh_askpass" ← (default)

  • "sshpass"

  • "disable"

Configuration:

  • INI entry:

    [ssh_connection]
password_mechanism = ssh_askpass

  • Environment variable: ANSIBLE_SSH_PASSWORD_MECHANISM

  • Variable: ansible_ssh_password_mechanism

pipelining

boolean

Pipelining reduces the number of connection operations required to execute a module on the remote server, by executing many Ansible modules without actual file transfers.

This can result in a very significant performance improvement when enabled.

However this can conflict with privilege escalation (become). For example, when using sudo operations you must first disable requiretty in the sudoers file for the target hosts, which is why this feature is disabled by default.

Choices:

  • false ← (default)

  • true

Configuration:

  • INI entries:

    [defaults]
pipelining = false

    [connection]
pipelining = false

  • Environment variable: ANSIBLE_PIPELINING

  • Variable: ansible_pipelining

pkcs11_provider

string

PKCS11 SmartCard provider such as opensc, e.g. /usr/local/lib/opensc-pkcs11.so

Default: ""

Configuration:

  • INI entry:

    [ssh_connection]
pkcs11_provider = ""

  • Environment variable: ANSIBLE_PKCS11_PROVIDER

  • Variable: ansible_ssh_pkcs11_provider

port

integer

Remote port to connect to.

Configuration:

  • INI entry:

    [defaults]
remote_port = VALUE

  • Environment variable: ANSIBLE_REMOTE_PORT

  • Keyword: port

  • Variable: ansible_port

  • Variable: ansible_ssh_port

private_key

string

Private key contents in PEM format. Requires the SSH_AGENT configuration to be enabled.

Configuration:

  • Environment variable: ANSIBLE_PRIVATE_KEY

  • Variable: ansible_private_key

  • Variable: ansible_ssh_private_key

private_key_file

string

Path to private key file to use for authentication.

Default: "~/.ssh/google_compute_engine"

Configuration:

  • INI entries:

    [defaults]
private_key_file = ~/.ssh/google_compute_engine

    [gcloud]
private_key_file = ~/.ssh/google_compute_engine

  • Environment variable: ANSIBLE_PRIVATE_KEY_FILE

  • CLI argument: –private-key

  • Variable: ansible_private_key_file

  • Variable: ansible_ssh_private_key_file

  • Variable: ansible_gcloud_private_key_file

private_key_passphrase

string

Private key passphrase, dependent on private_key.

This does NOT have any effect when used with private_key_file.

Configuration:

reconnection_retries

integer

Number of attempts to connect.

Ansible retries connections only if it gets an SSH error with a return code of 255.

Any errors with return codes other than 255 indicate an issue with program execution.

Default: 0

Configuration:

  • INI entries:

    [connection]
retries = 0

    [ssh_connection]
retries = 0

  • Environment variable: ANSIBLE_SSH_RETRIES

  • Variable: ansible_ssh_retries

remote_user

string

User name with which to login to the remote server, normally set by the remote_user keyword.

If no user is supplied, Ansible will let the SSH client binary choose the user as it normally.

Configuration:

  • INI entry:

    [defaults]
remote_user = VALUE

  • Environment variable: ANSIBLE_REMOTE_USER

  • CLI argument: –user

  • Keyword: remote_user

  • Variable: ansible_user

  • Variable: ansible_ssh_user

scp_executable

string

This defines the location of the scp binary. It defaults to scp which will use the first binary available in $PATH.

Default: "scp"

Configuration:

  • INI entry:

    [ssh_connection]
scp_executable = scp

  • Environment variable: ANSIBLE_SCP_EXECUTABLE

  • Variable: ansible_scp_executable

scp_extra_args

string

Extra exclusive to the scp CLI

Default: ""

Configuration:

  • INI entry:

    [ssh_connection]
scp_extra_args = ""

  • Environment variable: ANSIBLE_SCP_EXTRA_ARGS

  • CLI argument: –scp-extra-args

  • Variable: ansible_scp_extra_args

sftp_batch_mode

boolean

When set to True, sftp will be run in batch mode, allowing detection of transfer errors.

When set to False, sftp will not be run in batch mode, preventing detection of transfer errors.

Choices:

  • false

  • true ← (default)

Configuration:

  • INI entry:

    [ssh_connection]
sftp_batch_mode = true

  • Environment variable: ANSIBLE_SFTP_BATCH_MODE

  • Variable: ansible_sftp_batch_mode

sftp_executable

string

This defines the location of the sftp binary. It defaults to sftp which will use the first binary available in $PATH.

Default: "sftp"

Configuration:

  • INI entry:

    [ssh_connection]
sftp_executable = sftp

  • Environment variable: ANSIBLE_SFTP_EXECUTABLE

  • Variable: ansible_sftp_executable

sftp_extra_args

string

Extra exclusive to the sftp CLI

Default: ""

Configuration:

  • INI entry:

    [ssh_connection]
sftp_extra_args = ""

  • Environment variable: ANSIBLE_SFTP_EXTRA_ARGS

  • CLI argument: –sftp-extra-args

  • Variable: ansible_sftp_extra_args

ssh_args

string

arguments to pass to all ssh cli tools.

Default: "-C -o controlmaster=auto -o controlpersist=60s"

Configuration:

  • INI entry:

    [ssh_connection]
ssh_args = -C -o controlmaster=auto -o controlpersist=60s

  • Environment variable: ansible_ssh_args

  • Variable: ansible_ssh_args

ssh_common_args

string

common extra args for all ssh cli tools.

Default: ""

Configuration:

  • INI entry:

    [ssh_connection]
ssh_common_args = ""

  • Environment variable: ANSIBLE_SSH_COMMON_ARGS

  • CLI argument: –ssh-common-args

  • Variable: ansible_ssh_common_args

ssh_executable

string

This defines the location of the SSH binary. It defaults to ssh which will use the first SSH binary available in $PATH.

This option is usually not required, it might be useful when access to system SSH is restricted, or when using SSH wrappers to connect to remote hosts.

Default: "ssh"

Configuration:

  • INI entry:

    [ssh_connection]
ssh_executable = ssh

  • Environment variable: ANSIBLE_SSH_EXECUTABLE

  • Variable: ansible_ssh_executable

ssh_extra_args

string

Extra exclusive to the SSH CLI.

Default: ""

Configuration:

  • INI entry:

    [ssh_connection]
ssh_extra_args = ""

  • Environment variable: ANSIBLE_SSH_EXTRA_ARGS

  • CLI argument: –ssh-extra-args

  • Variable: ansible_ssh_extra_args

ssh_transfer_method

string

Preferred method to use when transferring files over ssh

Choices:

  • "sftp"

  • "scp"

  • "piped"

  • "smart" ← (default)

Configuration:

  • INI entry:

    [ssh_connection]
transfer_method = smart

  • Environment variable: ANSIBLE_SSH_TRANSFER_METHOD

  • Variable: ansible_ssh_transfer_method

sshpass_prompt

string

Password prompt that sshpass/SSH_ASKPASS should search for.

Supported by sshpass 1.06 and up when password_mechanism set to sshpass.

Defaults to Enter PIN for when pkcs11_provider is set.

Defaults to assword when password_mechanism set to ssh_askpass.

Default: ""

Configuration:

  • INI entry:

    [ssh_connection]
sshpass_prompt = ""

  • Environment variable: ANSIBLE_SSHPASS_PROMPT

  • Variable: ansible_sshpass_prompt

timeout

integer

This is the default amount of time we will wait while establishing an SSH connection.

It also controls how long we can wait to access reading the connection once established (select on the socket).

Default: 10

Configuration:

  • INI entries:

    [defaults]
timeout = 10

    [ssh_connection]
timeout = 10

  • Environment variable: ANSIBLE_TIMEOUT

  • Environment variable: ANSIBLE_SSH_TIMEOUT

  • CLI argument: –timeout

  • Variable: ansible_ssh_timeout

use_tty

boolean

add -tt to ssh commands to force tty allocation.

Choices:

  • false

  • true ← (default)

Configuration:

  • INI entry:

    [ssh_connection]
usetty = true

  • Environment variable: ANSIBLE_SSH_USETTY

  • Variable: ansible_ssh_use_tty

verbosity

integer

Requested verbosity level for the SSH CLI.

Default: 0

Configuration:

  • INI entry:

    [ssh_connection]
verbosity = 0

  • Environment variable: ANSIBLE_SSH_VERBOSITY

  • Variable: ansible_ssh_verbosity

Note

Configuration entries listed above for each entry type (Ansible variable, environment variable, and so on) have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. The entry types are also ordered by precedence from low to high priority order. For example, an ansible.cfg entry (further up in the list) is overwritten by an Ansible variable (further down in the list).

Notes

Note

  • This plugin requires you to have configured gcloud authentication prior to using it. You can change the active configuration used, but the plugin won’t auth for you.

  • This plugin is mostly a wrapper to the ``ssh`` CLI utility and the exact behavior of the options depends on this tool. This means that the documentation provided here is subject to be overridden by the CLI tool itself.

  • Many options default to None here but that only means we do not override the SSH tool’s defaults and/or configuration. For example, if you specify the port in this plugin it will override any Port entry in your .ssh/config.

  • The ssh CLI tool uses return code 255 as a ‘connection error’, this can conflict with commands/tools that also return 255 as an error code and will look like an ‘unreachable’ condition or ‘connection error’ to this plugin.

Authors

  • Jorge A Gallegos (@thekad)