[jmarcher]

SSH with IAP over TCP is dope, so is IAP in general for hiding internal websites and tools. There is still some edge case you may want a bastion (e.g. access a private GKE master). For most use cases, you are right, IAP TCP replaces the need for a bastion host. Actually, in this case, their proxy is the bastion host, but hey!

As fart as managing SSH keys, I would say: don't do it. Use OS Login instead. For cases, like automation, create a service account and use it with OS Login. It gives you a centralized way to manage SSH access (and revoke access) and sudo privileges.

https://cloud.google.com/compute/docs/oslogin/

[tomlockwood]

I'm currently using osLogin, but wondering if there's a good way to connect to private github repos from each VM. I think ssh keys are the answer for that, but I have no idea! Thanks to both of you for the info - I'll read up on all this stuff!!!