I was working on a requirement wherein there is a need to know which user/machine has actually created the instances.
For example if a Compute Instance has been created by a Service account, how do we come to know which user had created. Basically, the intention is if we could capture the IP address/MAC address to check for any security flaw ?
Any hints are more than welcome !!!
Listing members that can access a service account
Select a project. Click the email address of the service account that you want to allow the member to impersonate. Click the Permissions tab. The Members with access to this service account section lists the members that can access the service account.
You can find the entire process of impersonating service accounts in [1]
[1]https://cloud.google.com/iam/docs/impersonating-service-accounts#:~:text=Listing%20members%20that%20can%20access%20a%20service%20account,-Use%20the%20Cloud&text=Select%20a%20project.,can%20access%20the%20service%20account.
When a user invokes gcloud with the --impersonate-service-account argument, a log message is generated in the project where the service account is defined:
resource.type="service_account" resource.labels.email_id="sa-name#projectid.iam.gserviceaccount.com"
protoPayload.methodName="GenerateAccessToken"
When a GCE instance is created, a log message that lists the principal and the impersonator is generated in the project where the vm was created.
resource.type="gce_instance"
resource.labels.zone="us-central1-a"
protoPayload.methodName="v1.compute.instances.insert"
protoPayload.authenticationInfo.principalEmail="sa-name#projectid.iam.gserviceaccount.com"
The value you're looking for is in protoPayload.serviceAccountDelegationInfo. The caller's IP is in protoPayload.requestMetadata.callerIp.
Related
I got an developer intern. I need him to access GCP paid VM Instance I created so he can start developing. He should have root access through sudo, and preferably his own username linux account so we can see his files when he clones repo's,installs services,etc.
He should not: have access to modify instance, no access to change discs or instance size, no access to any other resource. Just ssh and root inside a vm.
His account is under his personal email abc..#gmail.com
What exact permissions do I need to give him?
a) I used the default service account, but I could switch it to project specific service account that will soon also run cloud functions.
b) For google employees, there should really be a guide/tour for "grant access" that allows people who have less then 10 vm instances follow it to grant access properly without delay or compromising security. He is unable to do paid work :(.
Related:
52756755(why does he need compute admin role for a developer, I need him only to develop and not maintain the instance)
62925708 (why does the user need service account role? He does not need to be creating paid instances)
49384500 (You do not have sufficient permissions to ssh into this instance)
do not have permission to ssh into this instance(
You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.
If the person has #gmail.com domain then he is an external user and needs to be given external user permission.
Go to IAM & Admin -> From the Project menu select All and click the top organization:
Add the Compute OS Login External User
Now under the project Add the following:
Add Project - Viewer
Add Compute Engine - Service Account User
[optional]Add Compute Engine -Compute View
**although the Compute View is optional to just ssh, but it does help the developer/programmer/intern to know what they are running and recommend configuration changes when program is ready for golive.
And finally we need to give permission at the instance level. So go to Compute Engine -> VM Instances -> Permissions -> Add Principal -> "Compute OS Admin Login" if you want them to use sudo or if just a regular user "Compute OS Login"
Open the instance, click edit and enable OS-Login under Metadata. Add the following
Key: enable-oslogin
Value: TRUE
Stop and start the instance. You need it for permission to take effect. During troubleshooting none of this worked until we restarted the instance, and magically fixed.
If you need to manage user access to your Linux VM instances, you can use one of the following methods:
OS Login
Managing SSH keys in metadata
Temporarily grant a user access to an instance
To give a user the ability to connect to a VM instance using SSH
without granting them the ability to manage Compute Engine resources,
add the user's public key to the project, or add a user's public key
to a specific instance. Using this method, you can avoid adding a user
as a project member, while still granting them access to specific
instances.
More information about granting users SSH to VM instances can be found here.
Regarding your question about the roles required and why, here is more information about granting access to an organization using Cloud IAM roles.
More information about Access control for users in Cloud compute Engine here.
About roles and permissions
If you need your employee to be able to see the project you need to grant the access to the project according to your needs.
The basic roles are owner, editor and viewer. Here you will find a more detailed explanation about roles and permissions using Cloud IAM to control the access for your project.
And in this page you will find a complete list of the roles and permissions included in Cloud compute engine.
On the other hand in this guide about setup OS login, the roles and permission required to complete the process are included. OS login is an option suitable to resolve your issue.
I have been looking into a way to check all the objects (on Google Cloud Storage) that a IAM Service Account has access to. I have tried using several ways, including the Google Cloud Console, I went into my IAM Service Account and tried to query all the resources that this service account have read access, but it is returning empty.
Is there a way to do that using gcloud or gsutil?
From my last post, let me try to be more specific. Here are the steps that I took to do it:
Went to the IAM --> Service Accounts
Create Service Account and set the following: Service account details
Didn't set any role to the service account: Grant this service account access to project
Didn't set any user access to it: Grant users access to this service account
Clicked on DONE
With that service account in place, I went to one of my Buckets and selected a single file. I've edited a permission on that and added my service account user: Edit testFile2.txt permissions
Now, I do have a Service Account that have access to a single object as a reader. What I want to know now is, I want to find a way to query ALL THE RESOURCES that this service account has access. So, I could find every single file that it does have access as a reader, for example.
Please let me know if it is much more clear now.
I'm working on a GCP project for a client of mine. I need the ability to give my client access to the GCP Console for the project. For example, if my client is traveling and he wants to access his database via MySQL Workbench then he'll need to update the SQL Connections Public IP list with the public ip address for whatever wifi network he's currently connected to. He could contact me to do that for him, but I would rather give him the ability to do this independently, since I'll eventually be turning the system over to him anyway.
So how can I add my client to my GCP account? Essentially, I want my client to be able to log into GCP and see everything that I see when I log into GCP as the owner of the account. I don't want to give my client my GCP login credentials since I may need to create other GCP projects for other clients with those credentials.
For being connected on GCP, your customer need to have a Google account (GMail, GSuite, or something else compliant).
If it hadn't, it can create an account for free in seconds, or it can reuse an existing not Google email to create an account with this email as login and the password of his choice:
Go to https://accounts.google.com/
Select create account
Select Use my current email address instead
Then, as narayansharma said, go to IAM page and add this email to your project. I absolutely don't recommend you to grant to your customer the owner role, because he will be able to do all (create big VM, open any firewall rules, delete resources,...), but select only the roles that you want to grant to him. If you aren't sure, ask here what is the correct role for your customer usage, and we will be able to help you
Note: For a connection to Cloud SQL, instead of allowing external IP to reach your database, I recommend you to use Cloud SQL proxy.
You can easily give permission to your client via IAM.
Please follow the given instructions.
Go to IAM https://console.cloud.google.com/iam-admin/iam and check with your project is correct or not.
Click on the add button from the page. It will open a pop-up, enter your client email address on the new member field.
Select project owner roles from roles field.
Click on save
After save your client can access your project via his personal email.
I hope it will help you.
default service account does not have access to cloud sql and has only read only access to storage.
I tried adding cloud sql admin and storage admin permission to defautl service account but that does not seems to work.
I know it can be solved by using another service account that have these permission and using that when creating compute instance.
I am just curious to know why updating permission of default compute does not work?
It seems that updating the permissions on the Compute Engine default service account is not enough to set the correct level of access you are trying to give to your Compute Engine instance, since, as described here:
When you set up an instance to run as a service account, the level of access the service account has is determined by the combination of access scopes granted to the instance and IAM roles granted to the service account.
From my understanding you are only granting IAM roles to the service account, so, in order to give the desired access level, you should also update the Access scopes for your Compute Engine instance.
When you create a new Compute Engine instance, under Access scopes, it is selected "Allow default access" by default as you can see here New instance. This default access has Cloud SQL access disabled and Cloud Storage access as read-only.
You can refer to this documentation which explains how to change the access scopes for a Compute Engine instance:
To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance.
Once you stop your instance, you can change the Access scopes to either "Set access for each API" or to "Allow full access to all Cloud APIs".
If you choose to set access for each API, you will have to search for "Cloud SQL" and then select "Enabled" and also for "Storage" and select the desired option (Read Only, Write Only, Read Write, Full)
For more information on Access Scopes please refer to this doc and for more information on running Compute Engine instances as service account (including the default service account) please see this doc.
In the Cloud IAM Admin you have to select your Default Service Account by hitting on that pen to the right; then a side.bar will pop up, where you can assign the following roles: Cloud SQL Admin, Cloud SQL Client, Cloud SQL Editor, Cloud SQL Viewer. it's the default role is Editor.
I have a project on Google Cloud where in I have a few vm instances created.
I need to give someone access to only one of the instances
For now I have given them access to all the instances by adding them through IAM as
Compute Engine Instance Admin
Adding her as a default compute engine service account actor
But how do I change this to give them access to only one of the instances please ?
Thanks
It is possible to manually add their public SSH key to the machine: the
documentation can be found here.
You will generate a public/private key pair, format it, upload the public one to the machine and the user will be able to connect to the machine using the private one.
Then remove the Compute Engine Instance Admin role to take away her access to the other instances.
If you leave her role as default compute engine service account actor, she may assume the same rights as the service account, which by default is project editor.
The best way to limit this is create a new service account with only the scopes you wish to grant (perhaps access to Storage or some other APIs), set it as the service account for the instance and add the user as its actor. You can read more here.
The best practice to grant SSH to a User on GCP is :
Edit the VM instance, in the metadata section add
enable-oslogin=TRUE
On the project level add the roles Service Account User and Compute viewer to the user
On the instance level, on the panel of permissions: add the role Compute OS Admin Login or Compute OS Login to the user