Discovering hosts in GCP by using IAP
You can perform a detailed discovery of Google Compute Engine hosts running in Google Cloud Platform (GCP) by using Identity-Aware Proxy (IAP) and Identity Access Management (IAM). This discovery process does not require a direct SSH connection.
BMC Helix Discovery has previously been able to scan hosts in GCP, but it required a direct SSH connection from BMC Helix Discovery. Also, the discovery was limited to hosts with a public IP address and required SSH ports, host credentials, key pairs, or passwords.
BMC Helix Discovery uses a Google credential to access IAM and IAP. IAM authenticates users by using the Google credential, and if they have the correct role, then IAP returns the hosts that are permitted to be accessed by using that credential. BMC Helix Discovery creates implicit scans to discover those hosts. IAP then creates a tunnel to the host, by using port 22 (SSH) for Linux hosts, and ports 5985/5986 (PowerShell HTTP/HTTPS) for Windows hosts. The firewall for your project ports must be open in the firewall between IAP and the target hosts.
The Google credential is not used to authenticate with the hosts. For authentication purposes, generated SSH keys are used for Linux hosts, and one-time passwords are used for Windows hosts.
Discovering hosts in GCP by using IAP provides the following advantages:
- You can discover your entire GCP estate by using your existing GCP credentials. There are no additional credentials to manage.
- Irrespective of how your GCP deployment's network is segmented, a single GCP IAM credential enables you to discover all of your GCP estate.
- There is no requirement for an SSH configuration and GCP host key pairs.
When you discover hosts in GCP by using IAP, the target is known to be hosted in GCP, so cloud detection is disabled and only the appropriate GCP methods are used. In a normal IP scan of a host, cloud detection is used to determine whether the target is cloud hosted, and if so, to detect the cloud provider.
If the target host cannot be accessed by using the IAP key or a one-time password, BMC Helix Discovery attempts to match an existing credential. When hosts are discovered through IAP by using an existing credential, the hosts do not need a public IP address.
GCP IAM and IAP overview
GCP IAM
is a GCP service that enables you to create and manage permissions for all of your Google Cloud resources.
GCP Identity-aware
is an authorization service that enables you to manage HTTPS access to applications running in GCP. IAP requires you to use
signed headers
or the App Engine standard environment
Users API
.
Before you begin
Before you can discover hosts by using IAP, you must configure the correct permissions in the IAP console. Assign the following permissions for the service account that you use for discovery:
compute.projects.setCommonInstanceMetadataiam.serviceAccounts.actAs
The IAP-secured Tunnel User role has these permissions and more. This role is suitable for discovering hosts by using IAP, though you might choose to configure a more restricted role.
The permissions are checked when you test the discovery credentials, and any missing permissions are indicated.
Firewall rules
You must enable IAP to access your hosts that use the GCP firewall. The following ports are required:
- SSH — TCP/22
- PowerShell/HTTP — TCP/5985
- PowerShell/HTTPS — TCP/5986
If you use custom ports to run SSH, for example, then you can configure BMC Helix Discovery to use those ports. For more information, see Configuring discovery settings.
To discover Compute Engine hosts by using IAP
To discover Compute Engine hosts by using IAP, enable Identity-Aware Proxy Sessions when you add a new Google Cloud Platform discovery run.
Scope
For IP addresses scanned through GCP by using IAP, the scope of an IP address is set as the default network.
Comments
Log in or register to comment.