diff --git a/providers/google/docs/connections/gcp_ssh.rst b/providers/google/docs/connections/gcp_ssh.rst index a99574d46e32b..11dda70568fcd 100644 --- a/providers/google/docs/connections/gcp_ssh.rst +++ b/providers/google/docs/connections/gcp_ssh.rst @@ -25,12 +25,6 @@ The :class:`~airflow.providers.google.cloud.hooks.compute_ssh.ComputeEngineSSHHo commands on a remote server using :class:`~airflow.providers.ssh.operators.ssh.SSHOperator` or transfer file from/to the remote server using :class:`~airflow.providers.sftp.operators.sftp.SFTPOperator`. -.. note:: - - ``TPC`` stands for ``Trusted Partner Cloud``. In practice, this means a deployment that uses a - non-default universe domain such as ``apis-tpczero.goog`` instead of ``googleapis.com``. - - Configuring the Connection -------------------------- @@ -79,10 +73,10 @@ For example: expire_time=4242" -Trusted Partner Cloud (TPC) guidance +Sovereign Cloud from Google guidance ------------------------------------ -If you are running Airflow in Trusted Partner Cloud (TPC), use the following configuration guidance for +If you are running Airflow in Sovereign Cloud from Google, use the following configuration guidance for Compute Engine SSH. Recommended configuration for direct SSH @@ -108,14 +102,14 @@ This works only when the caller has the IAM permissions needed to open an IAP tu deployments this is typically the ``IAP-secured Tunnel User`` role (``roles/iap.tunnelResourceAccessor``). -Configuration to avoid in TPC -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Configuration to avoid in Sovereign Cloud from Google +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Do not use Cloud OS Login for Compute Engine SSH in the tested TPC environment: +Do not use Cloud OS Login for Compute Engine SSH in the tested Sovereign Cloud from Google environment: * ``use_oslogin=True`` -In the tested TPC environment, the OS Login SSH flow was not available for this hook. For users, the +In the tested Sovereign Cloud from Google environment, the OS Login SSH flow was not available for this hook. For users, the practical recommendation is to use metadata-managed SSH keys and set ``use_oslogin=False``. Instance configuration when using metadata-managed SSH keys diff --git a/providers/google/docs/operators/cloud/compute_ssh.rst b/providers/google/docs/operators/cloud/compute_ssh.rst index 2201830951c1a..1dbca52704acd 100644 --- a/providers/google/docs/operators/cloud/compute_ssh.rst +++ b/providers/google/docs/operators/cloud/compute_ssh.rst @@ -43,13 +43,12 @@ To use instance metadata, make sure to set the Cloud OS Login argument to False Please note that the target instance must allow tcp traffic on port 22. -Trusted Partner Cloud (TPC) guidance +Sovereign Cloud from Google guidance """""""""""""""""""""""""""""""""""" -``TPC`` stands for ``Trusted Partner Cloud``. In these environments, the practical question for Compute -Engine SSH is which hook parameters to set. +In these environments, the practical question for Compute Engine SSH is which hook parameters to set. -Use these settings for direct SSH in TPC: +Use these settings for direct SSH in Sovereign Cloud from Google: .. code-block:: python @@ -59,7 +58,7 @@ Use these settings for direct SSH in TPC: use_iap_tunnel=False, ) -Use these settings for SSH over IAP in TPC: +Use these settings for SSH over IAP in Sovereign Cloud from Google: .. code-block:: python @@ -73,7 +72,7 @@ For the IAP case, the caller must also have the IAM permissions required to open Cloud deployments, this is typically the ``IAP-secured Tunnel User`` role (``roles/iap.tunnelResourceAccessor``). -Avoid this setting in the tested TPC environment: +Avoid this setting in the tested Sovereign Cloud from Google environment: .. code-block:: python @@ -82,10 +81,10 @@ Avoid this setting in the tested TPC environment: use_oslogin=True, ) -In the tested TPC environment, the OS Login SSH flow was not available for this hook. For users, the +In the tested Sovereign Cloud from Google environment, the OS Login SSH flow was not available for this hook. For users, the practical guidance is to use metadata-managed SSH keys and set ``use_oslogin=False``. -When you use metadata-managed SSH keys in TPC: +When you use metadata-managed SSH keys in Sovereign Cloud from Google: * set ``use_oslogin=False``, * do not enable instance metadata ``enable-oslogin=TRUE`` for that SSH path, diff --git a/providers/google/src/airflow/providers/google/cloud/hooks/compute_ssh.py b/providers/google/src/airflow/providers/google/cloud/hooks/compute_ssh.py index ad138c158fca8..c39da86beeded 100644 --- a/providers/google/src/airflow/providers/google/cloud/hooks/compute_ssh.py +++ b/providers/google/src/airflow/providers/google/cloud/hooks/compute_ssh.py @@ -81,12 +81,12 @@ class ComputeEngineSSHHook(SSHHook): * Cloud OS Login when ``use_oslogin=True`` * instance metadata SSH keys when ``use_oslogin=False`` - In Trusted Partner Cloud (TPC) environments, the recommended setup is to use instance metadata SSH keys: + In Sovereign Cloud from Google environments, the recommended setup is to use instance metadata SSH keys: * ``use_oslogin=False`` and ``use_iap_tunnel=False`` for direct SSH * ``use_oslogin=False`` and ``use_iap_tunnel=True`` for SSH over IAP - In a tested TPC environment, the OS Login SSH flow was not available for this hook. Since this hook uses + In a tested Sovereign Cloud from Google environment, the OS Login SSH flow was not available for this hook. Since this hook uses OS Login SSH-key management when ``use_oslogin=True``, that setting should be avoided there unless the target environment explicitly supports OS Login SSH. @@ -97,13 +97,13 @@ class ComputeEngineSSHHook(SSHHook): :param gcp_conn_id: The connection id to use when fetching connection info :param hostname: The hostname of the target instance. If it is not passed, it will be detected automatically. - :param use_iap_tunnel: Whether to connect through IAP tunnel. In TPC environments this can work with + :param use_iap_tunnel: Whether to connect through IAP tunnel. In Sovereign Cloud from Google environments this can work with metadata-managed SSH keys, but it requires the IAM permissions needed to open an IAP tunnel. In Google Cloud deployments, this is typically the ``IAP-secured Tunnel User`` role (``roles/iap.tunnelResourceAccessor``). :param use_internal_ip: Whether to connect using internal IP :param use_oslogin: Whether to manage keys using OsLogin API. If false, - keys are managed using instance metadata. In tested TPC environments, set this to ``False`` and use + keys are managed using instance metadata. In tested Sovereign Cloud from Google environments, set this to ``False`` and use metadata-managed SSH keys instead. :param expire_time: The maximum amount of time in seconds before the private key expires :param gcp_conn_id: The connection id to use when fetching connection information