A client is trying to give me access to set up a Google Compute Engine instance. I have been given both Compute Admin and Compute Instance Admin (v1) roles. I can select her project when I log in to mine.
Further, I can access the Compute Engine area, which gives me the typical "Create", "Import", and "Take the Quickstart" options. When I click on "Create" I get the normal sidebar (new VM instance, new VM instance from template, and marketplace) but the form used to create does not appear and it's just the white background.
I've never had anyone give me access to their account so I am at a loss. I even had one of my other accounts give the other account access via the Computer Admin role and it worked fine. In other words, I had no problem giving the account access to one of my other accounts, but cannot seem to get access to her account.
A couple of things I have observed that may or may not be relevant:
I receive HTTP 403 responses for some resources when I try to access the page with the create instance form.
Her project is listed under "no organization".
She is using the free trial.
I have verified that the issue occurs in both Safari and Chrome.
Sorry I can't embed my images yet.
Verified my assigned roles via screenshot
Expected screen
Actual screen
It looks like permission issue, have you tried with the Role: "Compute Engine Admin Role" also grant the roles/iam.serviceAccountUser role to your account from the customer project take a look to the Google documentation
However how you shared from the screenshot with owner Role it should works.
Could you create a new project from the Client side then shared it to your account ?
Related
I got an developer intern. I need him to access GCP paid VM Instance I created so he can start developing. He should have root access through sudo, and preferably his own username linux account so we can see his files when he clones repo's,installs services,etc.
He should not: have access to modify instance, no access to change discs or instance size, no access to any other resource. Just ssh and root inside a vm.
His account is under his personal email abc..#gmail.com
What exact permissions do I need to give him?
a) I used the default service account, but I could switch it to project specific service account that will soon also run cloud functions.
b) For google employees, there should really be a guide/tour for "grant access" that allows people who have less then 10 vm instances follow it to grant access properly without delay or compromising security. He is unable to do paid work :(.
Related:
52756755(why does he need compute admin role for a developer, I need him only to develop and not maintain the instance)
62925708 (why does the user need service account role? He does not need to be creating paid instances)
49384500 (You do not have sufficient permissions to ssh into this instance)
do not have permission to ssh into this instance(
You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.
If the person has #gmail.com domain then he is an external user and needs to be given external user permission.
Go to IAM & Admin -> From the Project menu select All and click the top organization:
Add the Compute OS Login External User
Now under the project Add the following:
Add Project - Viewer
Add Compute Engine - Service Account User
[optional]Add Compute Engine -Compute View
**although the Compute View is optional to just ssh, but it does help the developer/programmer/intern to know what they are running and recommend configuration changes when program is ready for golive.
And finally we need to give permission at the instance level. So go to Compute Engine -> VM Instances -> Permissions -> Add Principal -> "Compute OS Admin Login" if you want them to use sudo or if just a regular user "Compute OS Login"
Open the instance, click edit and enable OS-Login under Metadata. Add the following
Key: enable-oslogin
Value: TRUE
Stop and start the instance. You need it for permission to take effect. During troubleshooting none of this worked until we restarted the instance, and magically fixed.
If you need to manage user access to your Linux VM instances, you can use one of the following methods:
OS Login
Managing SSH keys in metadata
Temporarily grant a user access to an instance
To give a user the ability to connect to a VM instance using SSH
without granting them the ability to manage Compute Engine resources,
add the user's public key to the project, or add a user's public key
to a specific instance. Using this method, you can avoid adding a user
as a project member, while still granting them access to specific
instances.
More information about granting users SSH to VM instances can be found here.
Regarding your question about the roles required and why, here is more information about granting access to an organization using Cloud IAM roles.
More information about Access control for users in Cloud compute Engine here.
About roles and permissions
If you need your employee to be able to see the project you need to grant the access to the project according to your needs.
The basic roles are owner, editor and viewer. Here you will find a more detailed explanation about roles and permissions using Cloud IAM to control the access for your project.
And in this page you will find a complete list of the roles and permissions included in Cloud compute engine.
On the other hand in this guide about setup OS login, the roles and permission required to complete the process are included. OS login is an option suitable to resolve your issue.
... without giving access to everything in project with Roles like Editor.
Apparently giving access to Notebooks Admin is not sufficient. User gets 403 error.
Turns out that authentication for the notebook proxy that is automatically set up by google requires that user has access to use the default compute service account. So, apart from giving proper role like Notebooks Admin. You need to:
Locate the default compute service account for your project
Give user in question access to Role "Use Service Account" on the service account permissions tab.
I lost my access to my VM instances. I am a student at the University of Melbourne, thus I tried to use GCP with my google account provided by the university (***#student.unimelb.edu.au).
I created my VM instances and I am still able to SSH to my VM, however, I lost my access to it via GCP Dashboard. And here goes the error code:
You are missing at least one of the following required permissions:
Project
resourcemanager.projects.get
And when I checked API with troubleshooter, it says
You do not have the required permissions to make this request. Please
contact your organization administrator.
I don't think I have done anything concerning administrative problems, why did I lose control of my instances?
Your permissions have been limited. like the message say, try to contact your University administrator to know more. If your project is billed to the University, University is organisation admin and can do anything on its own domain.
Is your VM respected the rules of your university? What was its size? did you mining on it? did you install unauthorized software? At administration level, Google provide a lot of metrics and alert about abnormal resource usage. Maybe you broke a rule.
Are you sure you had permission before creating the instance, to view the instance ?
With the error you are talking about maybe you didn't have access from the start itself. You would have been given access to create, but not to list VMs. I found the access-control of GCP very complex, you can have access to many things through CLI, but to get the same through console, you need to be granted more accesses.
Ask your admin to provide your account, one of the viewer or editor or maybe browser roles from here:
https://cloud.google.com/resource-manager/docs/access-control-proj
Or may be as guillaume suggested you might have broken a rule ;)
I have one person (a) who is in charge of administrating our Windows instances on Google Cloud and another person manages our Ubuntu instances. I want to allow the first person to have permission to start, stop, reset, change metadata / instance-size and login as admin on the Windows instances, but I don't want them to have access to perform those actions on any of the Ubuntu instances. All of the instances are part of the same project.
Is there any way to grant such permissions at an instance-level, without granting them for all instances in the project?
Google Compute Engine supports specifying the service account to use for the instance.
I recommend creating a new service account, assigning the Project Editor role and then assign that service account to instances that require this level of permission.
I do not recommend using Compute Engine Scopes to control permissions. Specify the desired roles for the service account, assign the service account to Compute Engine and specify "Allow full access to all Cloud APIs". The actual permissions will be controlled by the service account roles. Scopes are too granular in some cases.
I wrote an article that dives deeper into Compute Engine service accounts.
Google Cloud – Compute Engine Service Accounts
GCP allows one to provide fine grained permissions on Compute Engine instances. This appears to be well documented in the documentation found at:
Granting access to Compute Engine resources
At the highest level, we can assign permissions either through Cloud Console or through the gcloud command.
I was having trouble finding a way to do this because it is not available from the "IAM" section on Google Cloud. However, you can assign instance-specific roles and permissions form the Cloud Engine - VM Instances Page:
Go to the Computer Engine VM Instances page: https://console.cloud.google.com/compute/instances
Click the checkbox beside the instance(s) to which you want to assign instance-specific roles.
Click on "Show Info Panel".
On the "Info Panel" on the right side of the screen under "Permissions" click "Add Members".
Select the members / roles you want to assign and click "Save".
Been trying to figure this out but no luck thus far. Suprisingly difficult to achieve when compared to AWS.
I have a Google Cloud Platform (GCP) project with multiple Compute Instances and other services running.
I need to give root access to a single compute instance but not any other service to an external development team.
In the "Compute Engine" view when I select the instance and add the user as Compute Admin (Full control of all Compute Engine resources) but he still cannot ssh into the instance.
Try #1:
Got error: "Require compute.instance.get permission."
So I went and gave that user a Role which included that permission.
Try #2:
Got error "User does not have access to service account..."
Questions #1
What on earth needs to be done to just give a role access to single Compute Instance in GCP?
On AWS there is a specific Role that can be given a single resource access but this does seem to be the case here.
Questions #2
Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
Thanks!
I had the same issue and found the solution. I´ll try to answer your questions:
Question #1: What on earth needs to be done to just give a role access to single Compute Instance in GCP?
You need to grant the user these permissions:
1- In the main IAM page, https://console.cloud.google.com/iam-admin/iam?project=your_project grant the user the "Compute Viewer" and "Service Account User" roles.
2- In the VMs page, https://console.cloud.google.com/compute/instances?folder=&organizationId=&project=your_project, select one or more VM´s and grant the user the "Compute Instance Admin (v1)" role.
Now the user can SSH into the VM.
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
In GCP there are Project-level and Resource-level permissions. The "Permissions" right sidebar in "Compute Engine" sets the permissions for a single resource.
Hope this helps!
In this link you will find the different ways you can add new users to your project and how to set access control for your Compute Engine resources.
Note: If you want to give a user SSH to virtual machine instances but prevent access to all APIs, add the user's SSH keys to the project or instance instead of adding the user to the project and granting them wide ranging permissions.
If you only want to grant users SSH access to VM instances, then you might add the user's public key to the project or add a user's public key to a specific instance. This is mentioned in link here.
Managing Instance Access Using OS Login, this feature gives you more granular control over which users can connect to your instances and what level of permission they have. For additional details, See this document.