[byteofbits]

I’ve seen a variety of solutions to this working on different products but by far the best I have worked with so far is OS Login from Google with their Identity Aware Proxy product.

It’s allows developers to manage their own certificates (adding a new machine or rotating a key) whilst allowing us to use the GCP IAM tooling to grant access to certain machines - all without hosting bastion servers ourselves or exposing the servers themselves to the public internet.

As it’s based on PAM its also been relatively painless to integrate with other functions like audit logging.

If you’re using GCP already - I’d highly recommend it!