/git-remote-https-iap

Seamless authentication for GCP Identity-Aware-Proxy protected Git repositories

Primary LanguageGoApache License 2.0Apache-2.0

git-remote-https+iap

GitHub release (latest by date) GitHub Go Report Card

An open source git-remote-helper that handles authentication for GCP Identity Aware Proxy.

Getting Started

Installing

  • Download pre-compiled binaries from our release page.
  • Install git-remote-https+iap binary onto the system $PATH
  • Run GIT_IAP_VERBOSE=1 git-remote-https+iap install

Configuring

git-remote-https+iap configure \
  --repoURL=https://git.domain.acme/demo/hello-world.git \
  --helperID=xxx \
  --helperSecret=yyy \
  --clientID=zzz

Notes:

  • In the example above, xxx and yyy are the OAuth credentials FOR THE HELPER, that needs to be created as instructed here. zzz is the OAuth client ID that has been created when your Identity Aware Proxy instance has been created.
  • All repositories served on the same domain (git.domain.acme) would share the same configuration

[1]: This needs to be done only once per organisation. While these credentials are not treated as secret and can be shared within your organisation, it seem forbidden to publish them in any open source project.

Usage

Once your domain has been configured, you should be able to use git as you would normally do, without thinking about the IAP layer.

$ git clone https://git.domain.acme/demo/hello-world.git

If you are using git-lfs, the minimal version requirement is >= v2.9.0, which introduced support of HTTP cookies.

Troubleshoot

If needed, you can set the GIT_IAP_VERBOSE=1 environment variable in order to increase the verbosity of the logs.