Skip to content

Deploying Apache Guacamole on Google Cloud - provides terraform for deploying GCP resources as well as a Guacamole auth plugin to enable Identity Aware Proxy (IAP) integration.

License

Notifications You must be signed in to change notification settings

nyuhpc/guacamole-on-gcp

 
 

Repository files navigation

Apache Guacamole on Google Cloud Platform

See the tutorial at Google Cloud Architecture Center

This is not an officially supported Google product

Guacamole provides an extension framework - guacamole-ext - which can be used to provide custom authentication mechanisms. The guacamole-auth-googleiap extension is used in conjunction with a database authentication mechanism (Google CloudSQL), applied in the following order:

  • guacamole-auth-googleiap (custom service) - validates the Json Web Token (JWT) passed by IAP. It cryptographically validates this token and ensures its validity. The identity is extracted from the JWT and used as the username passed to the next mechanism in the Guacamole authentication chain.
  • guacamole-auth-jdbc-mysql (built-in service) - this service trusts the identity passed from guacamole-auth-googleiap and compares this with information in the database to perform authorization, as well as storing profile information about that identity.

In order for the extension to properly validate the JWT, it checks that IAP issued the token for Guacamole. The extension checks this by inspecting the JWT headers and payload, and validating the token’s digital signature. For more information about IAP token validations, see Securing your app with signed headers. To verify the token was issued for Guacamole, the extension compares the token’s aud (Audience) claim, to the backendServiceId which is part of the Guacamole’s Load Balancer configuration, created by GKE. The extension uses Google Cloud API to retrieve the backend service ID programmatically from your project, and authenticates to the API with the GKE Workload Identity you configured earlier.

About

Deploying Apache Guacamole on Google Cloud - provides terraform for deploying GCP resources as well as a Guacamole auth plugin to enable Identity Aware Proxy (IAP) integration.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HCL 38.0%
  • Java 37.8%
  • Shell 21.2%
  • Dockerfile 3.0%