This is apparently an easy task but for some reason I cannot accomplish. In a (terraform local-exec) pipeline (thus, non-interactively), I need to login to a given GCE instance authenticating by a specific service account I've the credentials json file for, using IAP proxy.
In other words, I need to upgrade the following command:
gcloud compute ssh --zone "europe-west1-d" "<instance name>" --project "<prj-id>" --tunnel-through-iap --command "echo 'Hello World'"
I was wondering if there's a command to perform that and if i need a particular set of IAMs bound to the SA to allow that.
After a lot of search and investigation, it seems there's no way for a service account to login using IAP to compute engine.
Basically, the needed grant simply cannot be assigned to a service account at all.
A SA can ssh into a computer instance, though, assuming a valid key was shared between the parts (a key can be generated when the compute engine instance is provisioned). This makes the process not so pratical in everyday use, but theoretically possible.