Google Cloud Identity Aware Proxy over Corporate Proxy

Question

Configured Google Cloud Identity Aware Proxy for the application. So far, I can ssh to it no problem, as long as I am not using corporate proxy. Tried over proxy (with IAP endpoint being in 'allow' list in corporate proxy), but it failed with SSL CERTIFICATE error.

Errors:

...
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
INFO: Error during WebSocket processing:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

INFO: Client closed connection from [stdin].
DEBUG: (gcloud.compute.start-iap-tunnel) Error while connecting [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)].
Traceback (most recent call last):
  File "/usr/local/Caskroom/google-cloud-sdk/latest

...

Has anyone succeeded in configuring corporate proxy for IAP? If yes, what configuration would you think is needed to get it working?

Thanks so much in advance!!

Answer 1

Answering my own question:

Yes, a proxy can be configured to access IAP endpoint nodes.

Steps:

1. Ask your friendly proxy admins to add the following to allow list:

   wss://tunnel.cloudproxy.app

2. Configure your current GCLOUD_SDK environment

   $ gcloud config set proxy/type http
   Updated property [proxy/type].

    $ gcloud config set proxy/address proxy.testcorp.com                                                                           
    Updated property [proxy/address].
   
    $ gcloud config set proxy/port 8080                                                                                            
    Updated property [proxy/port].
   
    $ gcloud config set proxy/username user001                                                                                    
    Updated property [proxy/username].
   
    $ gcloud config set proxy/password XXXXXXXXXXXX                                                                                
    Updated property [proxy/password].
   

3. Make sure you have correct SSL Certs installed on your workstation. You can configure GCLOUD_SDK to use your certs using the following command:

   gcloud config set custom_ca_certs_file /Users/user01/gce/certs/corpcerts.pem

Next you can go ahead and issue 'gcloud ssh' command with --tunnel-through-iap to connect to your node.