Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 6 additions & 12 deletions providers/google/docs/connections/gcp_ssh.rst
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,6 @@ The :class:`~airflow.providers.google.cloud.hooks.compute_ssh.ComputeEngineSSHHo
commands on a remote server using :class:`~airflow.providers.ssh.operators.ssh.SSHOperator` or transfer
file from/to the remote server using :class:`~airflow.providers.sftp.operators.sftp.SFTPOperator`.

.. note::

``TPC`` stands for ``Trusted Partner Cloud``. In practice, this means a deployment that uses a
non-default universe domain such as ``apis-tpczero.goog`` instead of ``googleapis.com``.


Configuring the Connection
--------------------------

Expand Down Expand Up @@ -79,10 +73,10 @@ For example:
expire_time=4242"


Trusted Partner Cloud (TPC) guidance
Sovereign Cloud from Google guidance
------------------------------------

If you are running Airflow in Trusted Partner Cloud (TPC), use the following configuration guidance for
If you are running Airflow in Sovereign Cloud from Google, use the following configuration guidance for
Compute Engine SSH.

Recommended configuration for direct SSH
Expand All @@ -108,14 +102,14 @@ This works only when the caller has the IAM permissions needed to open an IAP tu
deployments this is typically the ``IAP-secured Tunnel User`` role
(``roles/iap.tunnelResourceAccessor``).

Configuration to avoid in TPC
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Configuration to avoid in Sovereign Cloud from Google
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Do not use Cloud OS Login for Compute Engine SSH in the tested TPC environment:
Do not use Cloud OS Login for Compute Engine SSH in the tested Sovereign Cloud from Google environment:

* ``use_oslogin=True``

In the tested TPC environment, the OS Login SSH flow was not available for this hook. For users, the
In the tested Sovereign Cloud from Google environment, the OS Login SSH flow was not available for this hook. For users, the
practical recommendation is to use metadata-managed SSH keys and set ``use_oslogin=False``.

Instance configuration when using metadata-managed SSH keys
Expand Down
15 changes: 7 additions & 8 deletions providers/google/docs/operators/cloud/compute_ssh.rst
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,12 @@ To use instance metadata, make sure to set the Cloud OS Login argument to False

Please note that the target instance must allow tcp traffic on port 22.

Trusted Partner Cloud (TPC) guidance
Sovereign Cloud from Google guidance
""""""""""""""""""""""""""""""""""""

``TPC`` stands for ``Trusted Partner Cloud``. In these environments, the practical question for Compute
Engine SSH is which hook parameters to set.
In these environments, the practical question for Compute Engine SSH is which hook parameters to set.

Use these settings for direct SSH in TPC:
Use these settings for direct SSH in Sovereign Cloud from Google:

.. code-block:: python

Expand All @@ -59,7 +58,7 @@ Use these settings for direct SSH in TPC:
use_iap_tunnel=False,
)

Use these settings for SSH over IAP in TPC:
Use these settings for SSH over IAP in Sovereign Cloud from Google:

.. code-block:: python

Expand All @@ -73,7 +72,7 @@ For the IAP case, the caller must also have the IAM permissions required to open
Cloud deployments, this is typically the ``IAP-secured Tunnel User`` role
(``roles/iap.tunnelResourceAccessor``).

Avoid this setting in the tested TPC environment:
Avoid this setting in the tested Sovereign Cloud from Google environment:

.. code-block:: python

Expand All @@ -82,10 +81,10 @@ Avoid this setting in the tested TPC environment:
use_oslogin=True,
)

In the tested TPC environment, the OS Login SSH flow was not available for this hook. For users, the
In the tested Sovereign Cloud from Google environment, the OS Login SSH flow was not available for this hook. For users, the
practical guidance is to use metadata-managed SSH keys and set ``use_oslogin=False``.

When you use metadata-managed SSH keys in TPC:
When you use metadata-managed SSH keys in Sovereign Cloud from Google:

* set ``use_oslogin=False``,
* do not enable instance metadata ``enable-oslogin=TRUE`` for that SSH path,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -81,12 +81,12 @@ class ComputeEngineSSHHook(SSHHook):
* Cloud OS Login when ``use_oslogin=True``
* instance metadata SSH keys when ``use_oslogin=False``

In Trusted Partner Cloud (TPC) environments, the recommended setup is to use instance metadata SSH keys:
In Sovereign Cloud from Google environments, the recommended setup is to use instance metadata SSH keys:

* ``use_oslogin=False`` and ``use_iap_tunnel=False`` for direct SSH
* ``use_oslogin=False`` and ``use_iap_tunnel=True`` for SSH over IAP

In a tested TPC environment, the OS Login SSH flow was not available for this hook. Since this hook uses
In a tested Sovereign Cloud from Google environment, the OS Login SSH flow was not available for this hook. Since this hook uses
OS Login SSH-key management when ``use_oslogin=True``, that setting should be avoided there unless the
target environment explicitly supports OS Login SSH.

Expand All @@ -97,13 +97,13 @@ class ComputeEngineSSHHook(SSHHook):
:param gcp_conn_id: The connection id to use when fetching connection info
:param hostname: The hostname of the target instance. If it is not passed, it will be detected
automatically.
:param use_iap_tunnel: Whether to connect through IAP tunnel. In TPC environments this can work with
:param use_iap_tunnel: Whether to connect through IAP tunnel. In Sovereign Cloud from Google environments this can work with
metadata-managed SSH keys, but it requires the IAM permissions needed to open an IAP tunnel. In
Google Cloud deployments, this is typically the ``IAP-secured Tunnel User`` role
(``roles/iap.tunnelResourceAccessor``).
:param use_internal_ip: Whether to connect using internal IP
:param use_oslogin: Whether to manage keys using OsLogin API. If false,
keys are managed using instance metadata. In tested TPC environments, set this to ``False`` and use
keys are managed using instance metadata. In tested Sovereign Cloud from Google environments, set this to ``False`` and use
metadata-managed SSH keys instead.
:param expire_time: The maximum amount of time in seconds before the private key expires
:param gcp_conn_id: The connection id to use when fetching connection information
Expand Down
Loading