Connecting to SRDE
Remote access to the secure environment workspace via the Command Line Interface. The SRDE consists of two separate servers:
- The Workspace Host is where you access and analyze data
- The Bastion Host acts as a proxy that allows your laptop/workstation to connect securely via the internet to the Workspace Host.
Accessing the Secure environment Workspace Host remotely via the Command Line Interface (CLI) is a two-step process: First you must connect to the Bastion Host and then from the Bastion Host access your Workspace Host. The two-step process is demonstrated below:
This two-step process is enabled with the use of SSH keys and SSH Agent Forwarding and is described in detail for some of the common Operating Systems (MacOS/Linux and Windows) in the following sections of the User Guide. For more general information about using SSH keys and the use of Bastion Host see here.
User access to the secure environment is controlled by Identity-Aware Proxy (IAP) Google Cloud service. IAP provides a central way of managing user access and enforcing access control policies, without requiring external/public IP addresses on the Bastion Host and the Workspace Host.
In order to be able to access your Secure Environment Workspace Host, you will need the following information, provided by the Secure Research Data Admins:
- Project Id for the Bastion Host (ex. test-dev1-bastion-1234)
- Zone Name (ex. us-east4-a)
At this time you are not required to be on the NYU Network (or VPN into the NYU Network) in order to access the Secure Environment workspace.
Connecting through Google Cloud Console
Navigate to Google Cloud Console https://console.cloud.google.com/welcome and login with your NetID. Click the Select a project drop-down list at the top left corner of the page. In the Select a project window that appears, search and select the bastion project using the provided project ID (ex. test-dev1-bastion-1234).
Once selected, navigate to the VM Instances page via the Navigation menu (Menu in the top left corner of the page ) > Compute Engine > VM Instances. A running Bastion instance will be visible in the page as shown below:
ssh to the Bastion instance by clicking on the SSH button, a new SSH-in-browser tab will appear with a restricted CLI ( Command line interface ) connected to the instance. We are now inside the Bastion Host.
Now we can ssh to our workspace host by using the workspace internal IP address 10.0.0.2:
ssh 10.0.0.2
This will open the workspace CLI, with access to the workspace host having the computing needs to work on our data.
Connecting through Google Cloud Shell
Navigate to https://shell.cloud.google.com/ while logged in using your NetID.
Setting project and zone
Note - Ask your SRDE administrator for the appropriate GCP PROJECT_ID and ZONE_NAME. Replace the values in the two commands below and run them
gcloud config set project PROJECT_ID
gcloud config set compute/zone ZONE_NAME
Confirm settings
Before proceeding, confirm that the project and zone match your GCP project ID and zone:
gcloud config list
[compute]
region = us-east4
zone = us-east4-a
[core]
account = netid@nyu.edu
disable_usage_reporting = False
project = test-dev1-bastion-1234
Your active configuration is: [default]
Generate SSH keys
Google Cloud Shell will delete your files, including generated SSH keys, if they are not accessed for 120 days. If this happens you will need to generate them again.
The simplest way to generate SSH keys is to delegate the key generation to gcloud. In order to trigger key creation, run the following command.
Ignore the result of this command. It will most likely print errors to the output console.
gcloud compute ssh bastion-vm
You will be prompted to enter an SSH passphrase. This is optional, however it is recommended for additional user security.
The above command should log you into the bastion VM. You will see a prompt like:
-bash-4.4$”
Before proceeding, exit back to your local machine
exit
Then make sure the above step created two keys in your ssh home directory (~/.ssh) as shown below:
ls ~/.ssh
Start the ssh-agent on your local machine
eval `ssh-agent -s`
Add the google_compute_engine key to your ssh session
ssh-add ~/.ssh/google_compute_engine
Connect to the instance with gcloud using the –ssh-flag-”-A” flag
This command uses the default project and zone set above.
gcloud compute ssh bastion-vm --ssh-flag="-A" --tunnel-through-iap
Add SSH key to session
Run the following command to add the google_compute_engine key to the current session:ssh
ssh-add -L
Connect to the workstation-vm
ssh 10.0.0.2
Future logins
After the initial login, you will not need to regenerate the SSH keys, but you will need the rest of the command sequence from “Start the SSH agent”. On your local machine:
eval `ssh-agent -s`
ssh-add ~/.ssh/google_compute_engine
gcloud compute ssh bastion-vm --ssh-flag="-A" --tunnel-through-iap --project=PROJECT_ID
And then on the bastion VM:
ssh 10.0.0.2
Connecting on MacOS/Linux
Install gcloud CLI
Follow the official guidelines to install the latest version of gcloud CLI locally on your computer.
After completing the gcloud installation, verify that the gcloud binary is in your $PATH environment variable.
Configure local gcloud settings
Run the following command. It generates a link as shown below
gcloud auth login --no-launch-browser
Copy the link and open your chrome browser in incognito mode to perform user sign in.Username is your NYU NetID email address. For e.g. netid@nyu.edu
You will be redirected to the NYU SSO page and MFA verification through Duo Push. After successfully logging in, you will be asked to allow google SDK to access your account as shown below
Pressing the “Allow” button on this page will present the authorization code. Copy the code and paste it in the terminal. If this step is successful, you should see this text printed to the console. You are now logged in as [netid@nyu.edu].
Connect to the workspace
Follow the same instructions for connecting with Google Cloud Shell above, starting from section on setting project and zone above.
Connecting on Windows 10/11
Start and Configure SSH-Agent Service
Using an elevated PowerShell window (run as admin), execute the following command to install the SSH-Agent service and configure it to start automatically when you log into your machine:
Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
Install gcloud CLI
Download the [Google Cloud CLI installer] (https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe) and run the installer
Alternatively, run the following command to download and install:
(New-Object Net.WebClient).DownloadFile("https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe", "$env:Temp\GoogleCloudSDKInstaller.exe")
& $env:Temp\GoogleCloudSDKInstaller.exe
Install Git
Download the Git Bash setup from the official website: https://git-scm.com/ and run the installer
Install Putty
Download and install Putty from this link https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Post installation verify that the Putty authentication agent is installed and available
For 64-bit installer, you will find this executable at C:/Program Files/PuTTY/pageant.exe
Install Python (>version 3.0)
Install Python from the official website:https://www.python.org/downloads/
Remember to check “Add python to the environment path.” ***add screenshot
Make sure it's installed and available on PATH. On many systems Python comes pre-installed, you can try running the python command to start the Python interpreter to check and see if it is already installed.
On windows you can also try the py command which is a launcher which is more likely to work. If it is installed you will see a response which will include the version number, for example:
Logging in:
Authenticate gcloud by starting a new session of command line or powershell. initialize and login to gcloud with your account (you will be redirected to the browser for authentication)
gcloud auth login
Run Git Bash and start the ssh-agent on your local machine
eval `ssh-agent -s`
Add the SSH key to agent by running
pageant.exe
The app runs in the background. you can find it in the tray.
Right click the icon and select "Add Key". Add the google_compute_engine key with the PPK extension (~/.ssh/google_compute_engine) to your agent:
:::Skip this step in the future Go to the Pageant shortcut icon from the Windows Start Menu or your desktop.
Right click on the icon, and click on Properties. (If Properties is not an option on the menu, click on Open file location, then right click on the Pageant icon, and click on Properties)
:::
From the Shortcut tab, edit the Target field. Leave the path to pageant.exe intact. After that path, add the path to your Google .ppk key file.
The key path should be outside the quotation marks. i
Here’s an example:
"C:\Program Files\PuTTY\pageant.exe" C:\Users\Sam\.ssh\google_compute_engine.ppk
SSH into the bastion VM from Git Bash
Ask your SRDE administrator for the appropriate GCP project ID.
Replace gcp-project-id with that information in the below command:
export PROJECT_ID=gcp-project-id;
gcloud compute ssh bastion-vm --ssh-flag="-A" --zone=us-east4-a --tunnel-through-iap --project=${PROJECT_ID}
When SSHing to bastion in the git bash window, a new terminal in putty appears with the bastion connection
A PuTTY security alert window may pop up to accept the host key, click on Accept
Add SSH key to session
Run ssh-add to add the google_compute_engine key to the current session
ssh-add -L
Connect to the workstation-vm
ssh 10.0.0.2
