I have an Owner access to GCP project.We need to access a Notebook instance which does not have external ip , so its using IAP tunneling. I am able to access the same but my team members who I have given IAP-Secured Tunnel User and have the Notebook Viewer access are NOT able to access and get the error in putty terminal
No supported authentication methods available(server sent:public key).
As per google documentation the firewall rule should also be set for IAP which is NOT set for this instance. But if that's the issue how am I able to access and not others. Is there some other role need to be added ?
I had a similar issue before which I fixed it from the screen below. You can click on add member button.
Can you try adding them and then if you are using cli, ask them to update the sdk before trying the command.
Hope this helps.
Related
Although I've gave Owner role to that specific service, I can't use the permissions from my instances that I connect with SSH from my local.
Also can't upload my files to Storage bucket which I've created in cloud platform.
Here is the screenshots of the problem:
The problem might be caused by the access token not having the appropriate permission scopes to conduct the required activity. To make sure you're using the auth scope of this service account appropriately, I recommend doing the following:
Run the command in the Google documentation inside the VM to
create a new key for the service account. This will create a .json
file inside the current directory containing the private
authentication key for the service account.
Run the command in the Google documentation to activate the
service account.
Run the command: $gcloud auth list to check if this worked.
In the output you should see an asterisk before the service
account’s name, indicating that this is the service account you are
currently using.
Now refer to the Google documentation and run the $env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"
Google Cloud Compute VMs have a setting for Access Scopes. This feature can limit the permissions that a service account has when attached to a virtual machine.
Go to the Google Cloud Console GUI, select your VM, stop the VM and then edit Acess Scopes to grant the permissions you require.
Access scopes
I am working on a project where a user clicks a link/button that says Access VM on a webpage, it should internally spin up a Linux based VM (using GCP, AWS or Azure) and provide the VM terminal in a new browser tab for the user to play around in the VM.
How can I achieve this using GCP/AWS/Azure? Which type of VM should I create so that the user can access the VM terminal over a browser without using an SSH client?
I tried creating a VM on Azure and explored the Bastion option. But this Bastion session should always be initiated from within the Azure portal.
Do we have any other option within GCP, AWS or Azure to achieve this?
I am looking for something similar to katacoda website.
There's no built in feature in GCP that will allow such thing possible. There is a button "SSH" in the VM's list but you have to be able to view the list and also have the permission to connect to the instance. But that requires to actually log into GCP which I believe is not what you want.
**You could try and built some solution that after clicking an "Connect" button you your website would send a series of commands to GCP's API to create & connect to the new isntance. It's possible but rather complicated.
Have a look at the documentation how to connect to VM using browser - maybe it will give yolu some ideas.
Ultimately use many other 3rd party tools but you still need to provide an address and credentials - additionally you rely on a service that you don't control so you have to take security (and reliability) into consideration.
At the end you may also consider going through general information how to connect to GCP's instances.
I have a cloud instance which I would like to restrict access to. I'm wondering what's the right way to do it.
The setup:
1. I've opened a Google Compute cloud access and it has an external IP a.b.c.d
2. I would like everyone to be accessing a.b.c.d to be automatically redirected to google authentication, and if the account meets the policy, they will be able to proceed
Can anyone suggest a proper way of doing that? without adding code to the application running in a.b.c.d, but by configuring cloud instance
Look into using the IAP (Internet Aware Proxy)... it can now be used to shield ssh requests. I've not done what you're trying, but I think it is what you're looking for.
I can't access my google cloud compute engine instance using ssh through browser or gcloud. My user account has the required compute.instances.osLogin permission (in fact it has the Owner role) and I've set enable-oslogin to TRUE.
The error in browser:
You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.
The error in gcloud:
ERROR: (gcloud.compute.ssh) User [my-email#gmail.com] does not have permission to access user [my-email#gmail.com:importSshPublicKey] (or it may not exist): The caller does not have permission
I even have the problem with new created instances too.
Apparently setting enable-oslogin to TRUE it prevents SSH login using ssh keys and we can only use service accounts to access the instance.
I deleted the enable-oslogin meta project-wide and instance-specific both and logging in was fixed in both browser and terminal.
EDIT: GCP support answer:
I am happy that your able to SSH to your instance after disabling the OS log in. However, you want to know what may have caused this error.
Technically, OS Login feature allows you to manage instance access using IAM roles. However, enabling OS Login on instances disables metadata-based SSH key configurations on those instances. Disabling OS Login restores SSH keys that you have configured in project or instance metadata. For more details about enabling OS log in you may link below.
https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin
I have a (non-admin) account on one GCP project.
When I start the Dataproc cluster, GCP spins up 3 VMs. When I try to access one of the VM via SSH (in browser) I get the following error:
I tried to add recommended permissions, but I cannot add the iam.serviceAccounts.actAs permission.
Any idea how to solve this? I read through the GCP documentation, but I just cannot find the solution for this. I have the following roles associated with my account:
If from console you want to click the "SSH" button next to an instance but face this issue, you can grant the Service Account User role instead of Editor, and it should resolve this.
If you're using OS Login, you may need the Compute OS Login role as well, but SA user should work.
If you're using IAP, you may need the IAP-secured Tunnel User role (or roles/iap.tunnelResourceAccessor in CLI)
Before:
After adding Service Account User role:
If you want to access remotely, use a bastion and Cloud IAP tunnel. Here is an example setup/teardown (NAT and router optional if you want to configure your bastion or install packages)
In the end, we managed to solve it by granting users the Editor permission on Compute Engine default service account. Not sure it is the right way but it seems to work.
I believe the latest documentation on Compute Engine SSH access is here: https://cloud.google.com/compute/docs/instances/managing-instance-access
It seems that you have to enable OS Login on the specific instance(s) you want to SSH into.
Adding an ID under a role for a specific instance somehow did not work for us
However, when the same ID was assigned the same role under IAM, it worked
Official docs: https://cloud.google.com/compute/docs/instances/access-overview
For OS Login https://cloud.google.com/compute/docs/oslogin/set-up-oslogin :
roles/compute.osLogin, which doesn't grant administrator permissions
roles/compute.osAdminLogin, which grants administrator permissions
If you use IAP additionally you have to add: roles/iap.tunnelResourceAccessor, see https://cloud.google.com/iap/docs/managing-access