GCP

Basics

Auth

gcloud auth login

Set project and zone

gcloud config set compute/zone us-east4-a
# see es command for more

Tasks

Cloning a VM

Create an image of an existing VM, with the same name. It will be added under...

Compute Engine > VMs > Machine images

Create a new VM from the machine image

Remove external IP

Edit the network and change the External IP from Ephemeral to None.

Set up a new VM for gcloud SSH 2fa access

Remove external IP (see above) - this will force `gcloud compute ssh...` to use "IAP Tunneling".
Add a network tag to the VM that allows access - it seems I don't have rights to tags, but I can use `demo-meteor-1` to get the job done

Harden SSH to internal connections only

create a FUCKING NORMAL SSH CONNECTION from source to target machine (it won't work, that's ok, but you better do it right)
make the user that is connectable FULL SUDO or you will be fucked out of access!

sudo visudo # and change sudo group to: (ALL) NOPASSWD: ALL
sudo usermod -a -G sudo esauto

Remove the GCP ssh bullshit
- set metadata key enable-oslogin to FALSE
- [x] block project-wide ssh
- restart
Now normal ssh should start working

old notes

(This no longer seems true.) It never seems enough to remove external IP. Additional steps to get it done:

gcloud compute instances describe box-1
              networkInteface
               - accessConfigs:
                 - ...
                   name: External NAT
gcloud compute instances delete-access-config box-1 --access-config-name "External NAT"
# REBOOT THE VM

Install gcloud CLI

curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
sudo apt update
sudo apt install google-cloud-sdk

Details Then you should copy the ssh key from another location:

scp -r case:.ssh/google_compute* ~/.ssh/