Skip to main content

1 week ago

How to restrict Bastion Host from accessing other GCP resources?

Hi Matt - In the example provided for the Private Google Access lecture, I understood that we need to enable Private Google Access for the VMs with External IP Address displayed in order for it to access other GCP resources. I noticed that, the Bastion Host was able to access GCP resources like Storage. How can we restrict Bastion host accessing any GCP resource within the VPC unless explicit access is granted?

Thank you,

Image of
6 days ago
Matt's out of the office until Wednesday, but he'll get back to you then.
Image of
5 days ago
Best method is to associate a custom service account with that GCE instance, and restrict the roles assigned to that service account. The other method is to not enable Private Google Access, giving it access to only instances in the same VPC.