I just started using gcloud, and I noticed when I create a VM or going into cloud console, my full name shows up in the console.
Is there a way to create another user with a more generic name? I don't like having my full name in all my VM's and consoles.
Do I just create another user as 'owner' or is there a best practices around this?
When you use gcloud compute ssh [INSTANCE_NAME], gcloud uses your current credentials to create an SSH keypair. The project ssh metadata is then updated with this username and SSH keypair. This is what you are seeing once you connect.
You can create a new SSH keypair with any username that you want. Then you can add this keypair to the instance metadata. Then you can login using that username. This also creates a new home directory in the instance.
For these examples, let's say that you want to create a new user 'development'.
STEP 1: Create a new SSH keypair
ssh-keygen -t rsa -f keypair -C development
This will create two files:
keypair - this is your RSA private key. You need this file to login via SSH to your instance using the new username.
keypair.pub - this is your SSH-RSA public key. The contents is imported to your instance. Display the contents of this file. Notice the username at the end.
STEP 2 (Google Cloud Console Method):
Login to the Google Cloud Console.
Go to "Compute Engine" -> "VM instances".
Click on the instance that you want to modify.
Click the "EDIT" button to modify the instance.
Scroll down to "SSH Keys". Click "Show and edit" under "You have 0 SSH keys".
Copy and paste the contents of "keypair.pub" into the box where "Enter entire key data" is displayed.
Scroll down to the bottom and click "Save".
STEP 3 - Connect to the instance using SSH:
Replace the IP_ADDRESS with the Compute Engine instances external IP address in the following command.
ssh -i keypair development#IP_ADDRESS
This is the correct method to support multiple users connecting to the same Compute Engine instance. Each user has their own keypair and their own username and home directory.
This is also the correct method to provide users with login access to an instance that do not have Google Cloud IAM permissions to the cloud account.
For advanced users, you can use the gcloud compute instances add-metadata command to add the SSH public key to the instance.
You can also add this SSH public key to the Project Metadata which will make this keypair available on all instances within a project.
Related
Azure allows one to create the user and password during the creation of a virtual machine which can later be used for SSH into that VM.
How to create a user and password during run instance in AWS using Java SDK which can be used for SSH.
Currently I laucnh Vm as
runInstancesRequest
.withTagSpecifications(tagSpecification)
.withImageId(ec2Configuration.getImageId())
.withInstanceType(ec2Configuration.getInstanceType())
.withMinCount(ec2Configuration.getMincount())
.withMaxCount(ec2Configuration.getMaxcount())
.withKeyName(ec2Configuration.getKeyPairName())
.withSecurityGroupIds(Arrays.asList(ec2Configuration.getSgId()));
.withMonitoring(true);
RunInstancesResult result = amazonEC2Client.runInstances(
runInstancesRequest);
I want to add something like this
runInstancesRequest
.withTagSpecifications(tagSpecification)
.withImageId(ec2Configuration.getImageId())
.withInstanceType(ec2Configuration.getInstanceType())
.withMinCount(ec2Configuration.getMincount())
.withMaxCount(ec2Configuration.getMaxcount())
.withKeyName(ec2Configuration.getKeyPairName())
.withSecurityGroupIds(Arrays.asList(ec2Configuration.getSgId()));
.withMonitoring(true)
.withUserName("newUser")
.withPassword("d#mnHardPassw0rd");
RunInstancesResult result = amazonEC2Client.runInstances(
runInstancesRequest);
I know AWS has default usernames and passwords based on the AMI but I want to make my own custom username and password while launching the VM.
Edit
Also, How to SSH to a Windows a instance? Is the RDP only option? How can I connect via the key pair and SSH? How to get it's administrator password.
You can add it using UserData:
RunInstancesRequest.withUserData(String userData)
and the user data can be found in the URL below
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-user-account-cloud-init-user-data/
I have a compute instance in project project-b, and a separate project project-a. The instance in project-b needs to access project-a using a project-a service account.
In project-a:
Create the service account. Suppose its name is project-a-service-account#project-a.iam.gserviceaccount.com.
Grant the service account very specific, limited roles
Create and download a key for the service account. Name it key.json.
In project-b:
Create a compute instance
SSH to the instance. Type all the commands that follow into this compute instance SSH shell.
Upload key file key.json to the instance. If you are using the Google Cloud Console SSH window, you can do this using Upload in the gear icon menu in the upper right.
Activate the service account:
gcloud auth activate-service-account project-a-service-account#project-a.iam.gserviceaccount.com --key-file key.json
Reinitialize:
gcloud init
The gcloud init command will offer to re-initialize the current configuration, or create a new one. It might be nice to create a new one, but it's up to you.
Choose account project-a-service-account#project-a.iam.gserviceaccount.com
Now, this instance in project-b can act as the service account in project-a. For example, if the service account has compute.instances.create permission, you can create an instance in project-a:
gcloud compute instances create new-instance --project project-a
Administrators of project-a can revoke this access by revoking the keys for service account project-a-service-account#project-a.iam.gserviceaccount.com.
Google has a super fast-talking demo showing this.
I'd like to get automated deployments going for a VM that I have running in Google Cloud and as part of that, I'm trying to use a service account to SCP my files up to a VM in GCP, but unfortunately, I can't seem to figure out what the correct permissions should be.
After scouring the documentation, I have a service account with these permissions:
compute.instances.get
compute.instances.setMetadata
compute.projects.get
compute.projects.setCommonInstanceMetadata
but when I run the below commands, I get the below output:
+ ./google-cloud-sdk/bin/gcloud auth activate-service-account --key-file=./service-account.json
Activated service account credentials for: [scp-test#my-project.iam.gserviceaccount.com]
+ ./google-cloud-sdk/bin/gcloud beta compute scp hello.txt scp-test:c:/hello.txt --quiet --project=my-project --ssh-key-file=./.ssh/key --zone=us-east4-c
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Your identification has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.
Your public key has been saved in /Users/mac-user/Downloads/scp-test/.ssh/key.pub.
The key fingerprint is:
{OMMITED}
The key's randomart image is:
{OMMITED}
External IP address was not found; defaulting to using IAP tunneling.
Updating project ssh metadata...failed.
Updating instance ssh metadata...failed.
ERROR: (gcloud.beta.compute.scp) Could not add SSH key to instance metadata:
- The user does not have access to service account '{OMMITED}-compute#developer.gserviceaccount.com'. User: 'scp-test#my-project.iam.gserviceaccount.com'. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
granting my scp-test user the iam.serviceAccountUser role works, but this seems to be bad practice since it then makes my scp-test user able to impersonate the default account ('{OMMITED}-compute#developer.gserviceaccount.com'.), which then seems to give it full access to everything.
How do I grant it only the permissions that it needs for SCP?
In order to use SSH/SCP you need instance admin rights to Compute Engine.
Service account means the service account IAM member that gcloud is configured to use: scp-test#my-project.iam.gserviceaccount.com
You need to give the service account this role:
roles/compute.instanceAdmin.v1
Since your compute instance is also configured to use a service account, you also need this role for your service account:
roles/iam.serviceAccountUser
I used Ansible to create a gce cluster following the guideline at: https://docs.ansible.com/ansible/latest/scenario_guides/guide_gce.html
And at the end of the GCE creations, I used the add_host Ansible module to register all instances in their corresponding groups. e.g. gce_master_ip
But then when I try to run the following tasks after the creation task, they would not work:
- name: Create redis on the master
hosts: gce_master_ip
connection: ssh
become: True
gather_facts: True
vars_files:
- gcp_vars/secrets/auth.yml
- gcp_vars/machines.yml
roles:
- { role: redis, tags: ["redis"] }
Within the auth.yml file I already provided the service account email, path to the json credential file and the project id. But apparently that's not enough. I got errors like below:
UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (publickey).\r\n", "unreachable": true}
This a typical ssh username and credentials not permitted or not provided. In this case I would say I did not setup anything of the username and private key for the ssh connection that Ansible will use to do the connecting.
Is there anything I should do to make sure the corresponding credentials are provided to establish the connection?
During my search I think one question just briefly mentioned that you could use the gcloud compute ssh... command. But is there a way I could specify in Ansible to not using the classic ssh and use the gcloud one?
To have Ansible SSH into a GCE instance, you'll have to supply an SSH username and private key which corresponds to the the SSH configuration available on the instance.
So the question is: If you've just used the gcp_compute_instance Ansible module to create a fresh GCE instance, is there a convenient way to configure SSH on the instance without having to manually connect to the instance and do it yourself?
For this purpose, GCP provides a couple of ways to automate and manage key distribution for GCE instances.
For example, you could use the OS Login feature. To use OS Login with Ansible:
When creating the instance using Ansible, Enable OS Login on the target instance by setting the "enable-oslogin" metadata field to "TRUE" via the metadata parameter.
Make sure the Service Account attached to the instance that runs Ansible have both the roles/iam.serviceAccountUser and roles/compute.osLoginAdmin permissions.
Either generate a new or choose an existing SSH keypair that will be deployed to the target instance.
Upload the public key for use with OS Login: This can be done via gcloud compute os-login ssh-keys add --key-file [KEY_FILE_PATH] --ttl [EXPIRE_TIME] (where --ttl specifies how long you want this public key to be usable - for example, --ttl 1d will make it expire after 1 day)
Configure Ansible to use the Service Account's user name and the private key which corresponds to the public key uploaded via the gcloud command. For example by overriding the ansible_user and ansible_ssh_private_key_file inventory parameters, or by passing --private-key and --user parameters to ansible-playbook.
The service account username is the username value returned by the gcloud command above.
Also, if you want to automatically set the enable-oslogin metadata field to "TRUE" across all instances in your GCP project, you can simply add a project-wide metadata entry. This can be done in the Cloud Console under "Compute Engine > Metadata".
We are just beginning to use Avi in AWS and I am setting up the controller instance.
As I am adding users to the controller instance I would like for users that log in to the instance via shell do so with private/public keypair authentication.
I created a user and added their public key to ~/.ssh/authorized_keys , I also added a NOPASSWD entry, but it seems to still be prompting for a password. Can I log in to the GUI with a password but restrict shell access to keypair only?
Avi Controller ssh expects the key for each user to be in a separate file at /etc/ssh/authorized_keys_username
The SSH config at /etc/ssh/sshd_config sets the path to the authorized keys:
AuthorizedKeysFile /etc/ssh/authorized_keys_%u
You can restrict the user to use keys for shell access by changing /etc/ssh/sshd_config file; but these changes will get overwritten every time you upgrade to a new version.
There is a match option that can disable any users password-based shell access in /etc/ssh/sshd_config
Match User sysadmin,root,aviseuser,avictlruser,testuser
PasswordAuthentication no