New version of the Cloud IAP plugin for Remote Desktop released

A few days ago, I released version 1.1.22 of the Cloud IAP plugin for Remote Desktop on Github.

The three main new features in this release are:

  1. A managed implementation of Cloud IAP TCP tunneling
  2. OAuth-based authorization.
  3. Support for custom GCP session lengths.

Managed implementation of IAP TCP tunneling

Previous versions of the plugin relied on gcloud to establish Cloud IAP TCP tunnels When you selected Connect server via Cloud IAP in the menu, the plugin spawned a gcloud compute start-iap-tunnel process in the background.


Relying on gcloud to establish Cloud IAP tunnels has a few disadvantages:

  • Launching a gcloud process takes several seconds. This causes a noticable delay when trying to connect to a VM instance.
  • Each VM you connect to requires a separate gcloud instance as each instance can only manage a single tunnel. Although gcloud is not overly resource-hungry by today’s standards, the memory footprint quickly adds up if you connect to multiple instances:

gcloud processes

Example of running RDCMan with two active tunnels managed by gcloud

The new version of the plugin does away with this overhead by using a managed implementation of Cloud IAP tunneling by default. That is, the plugin can now establish tunnels without having to engage gcloud at all. Not having to spawn gcloud processes translates into a substantially faster connection time and lower memory consumption.

The one caveat is that the managed implementation requires at least Windows 8 or Windows Server 2012. To support previous versions of Windows, the plugin therefore allows you to switch back to using gcloud-based tunneling by setting Tunneling implementation to Gcloud in the settings.


Because the plugin relied so heavily on gcloud before, it did not make sense for it to implement its own authentication, so the plugin used your local gcloud credentials to connect and authenticate to GCP.

Unless you switch back to using gcloud-based tunneling, having the Cloud SDK installed is now optional. As a result, the plugin also does not require local gcloud credentials anymore. Instead, it will ask you for your consent to access your GCP projects by using OAuth.

Auth dialog

As with any other OAuth-based application, you can check and revoke your consent at any time in your Google Account settings.

Custom GCP session lengths

Recently, GCP introduced the ability to control the session length for Cloud Console and gcloud sessions. Although the setting’s name suggests it only applies to the Cloud Console and gcloud, it really affects all clients that interact with GCP APIs – including the Cloud IAP plugin.

If you specify a custom session length and your session expires, the plugin will now properly prompt you to re-authenticate.

Other changes

A few notable other changes include:

  • Generating Windows credentials is now much faster. Again, this is a result of not relying on gcloud anymore. Instead, the plugin now programmatically creates passwords.
  • Loading instances is much faster too, thanks to using a different API.

You can download version 1.1.22 on GitHub.

« Back to home