Enabling just-in-time access to Google Cloud resourcesThe principle of least privilege states that we should grant users just enough access to carry out everyday activities, but no more. But what about the occasional case where a user does need privileged access, maybe to handle an incident or perform a rare configuration change? This is where just-in-time access can help. Continue »
Keeping track of SSH keys using IAP Desktop 2.26When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. The latest version of IAP Desktop makes that a little easier. Continue »
Docking and floating RDP windows in IAP Desktop 2.25IAP Desktop uses a UI that’s similar to Visual Studio – we can dock tool windows, let them auto-hide when we don’t need them, or let them float as separate windows. But that flexibility didn’t apply to RDP windows… until now. Continue »
Using ECDSA keys for SSH public key authentication in IAP Desktop 2.23By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
Best practices for using workload identity federationWorkload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. That’s a useful and powerful feature, but there are some things to watch out for. Continue »
Managing IAP Desktop by using group policiesIAP Desktop 2.20 now lets you use group policies to ensure all users in your organization use consistent settings. Continue »
Best practices for managing service account keysService accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully. Continue »
Image creation on Google Cloud, part 2: Build processGoogle Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this second part of the series, let’s look at how the build process works. Continue »
Image creation on Google Cloud, part 1: Windows SetupGoogle Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this first part of the series, let’s review of how Windows Setup works. Continue »
IAP Desktop 2.16 improves the Project Explorer and lets you customize fontsRelease 2.16 is out, and it contains multiple improvements to the Project Explorer tool window as well as the ability to customize your SSH terminal better. Continue »
Limit metadata server access to specific Windows users or processesBy default, access to the Compute Engine metadata server is not limited to specific processes or users on a VM, even low-privilege processes can request service account credentials. Can we limit metadata server access to specific Windows users or processes? Continue »
Best practices for using, managing, and securing service accounts on Google CloudService accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment. Continue »
Using libssh2 on Windows: lessons learntDocumentation is not where libssh2 shines most. Continue »
Building libssh2 on Windows: lessons learntLibssh2 is written in plain C and runs on many platforms, including Windows. But to use the library on Windows, you have to build it first – and as it turns out, that is easier said than done. Continue »
Using IAP Desktop for zero-trust SSH accessIAP Desktop 2.13 now lets you connect to Linux instances by using SSH. You can run multiple SSH and Remote Desktop in parallel, all secured by Identity-Aware-Proxy. Continue »
Updating googet packages behind a proxyCompute Engine uses googet to pre-install drivers and other critical system components on Windows VMs. But how do you update these packages if the VM does not have internet access?
Continue »
Using Google Cloud’s “Set Windows password” function on a domain controllerWhat happens if you use the “Set Windows password” function on a domain controller? Continue »
Preventing users from requesting Windows credentials on GCPAfter creating a Windows VM on Google Cloud, users can use the Cloud Console or IAP Desktop to request login credentials. But what are the risks of letting users generate credentials, and is there a way to prevent them from doing so? Continue »
Does IAP Desktop support .rdp files, or anything similar?If you frequently use Remote Desktop, then you might be used to creating .rdp files for the servers you connect to most often. IAP Desktop does not support .rdp files, but there is an alternative way to open IAP Desktop and connect to a server in a single click.
Continue »
What does the email_verified claim indicate in Google ID Tokens?When you authenticate a user by using OpenID Connect and request the email scope, most identity providers add two additional claims to the ID Token, email and email_verified. The email claim does not need much explanation – but what about email_verified, what does this claim indicate and how does Google populate it?
Continue »