Been trying to figure this out but no luck thus far. Suprisingly difficult to achieve when compared to AWS.
I have a Google Cloud Platform (GCP) project with multiple Compute Instances and other services running.
I need to give root access to a single compute instance but not any other service to an external development team.
In the "Compute Engine" view when I select the instance and add the user as Compute Admin (Full control of all Compute Engine resources) but he still cannot ssh into the instance.
Try #1:
Got error: "Require compute.instance.get permission."
So I went and gave that user a Role which included that permission.
Try #2:
Got error "User does not have access to service account..."
Questions #1
What on earth needs to be done to just give a role access to single Compute Instance in GCP?
On AWS there is a specific Role that can be given a single resource access but this does seem to be the case here.
Questions #2
Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
Thanks!
I had the same issue and found the solution. I´ll try to answer your questions:
Question #1: What on earth needs to be done to just give a role access to single Compute Instance in GCP?
You need to grant the user these permissions:
1- In the main IAM page, https://console.cloud.google.com/iam-admin/iam?project=your_project grant the user the "Compute Viewer" and "Service Account User" roles.
2- In the VMs page, https://console.cloud.google.com/compute/instances?folder=&organizationId=&project=your_project, select one or more VM´s and grant the user the "Compute Instance Admin (v1)" role.
Now the user can SSH into the VM.
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
In GCP there are Project-level and Resource-level permissions. The "Permissions" right sidebar in "Compute Engine" sets the permissions for a single resource.
Hope this helps!
In this link you will find the different ways you can add new users to your project and how to set access control for your Compute Engine resources.
Note: If you want to give a user SSH to virtual machine instances but prevent access to all APIs, add the user's SSH keys to the project or instance instead of adding the user to the project and granting them wide ranging permissions.
If you only want to grant users SSH access to VM instances, then you might add the user's public key to the project or add a user's public key to a specific instance. This is mentioned in link here.
Managing Instance Access Using OS Login, this feature gives you more granular control over which users can connect to your instances and what level of permission they have. For additional details, See this document.
Related
I got an developer intern. I need him to access GCP paid VM Instance I created so he can start developing. He should have root access through sudo, and preferably his own username linux account so we can see his files when he clones repo's,installs services,etc.
He should not: have access to modify instance, no access to change discs or instance size, no access to any other resource. Just ssh and root inside a vm.
His account is under his personal email abc..#gmail.com
What exact permissions do I need to give him?
a) I used the default service account, but I could switch it to project specific service account that will soon also run cloud functions.
b) For google employees, there should really be a guide/tour for "grant access" that allows people who have less then 10 vm instances follow it to grant access properly without delay or compromising security. He is unable to do paid work :(.
Related:
52756755(why does he need compute admin role for a developer, I need him only to develop and not maintain the instance)
62925708 (why does the user need service account role? He does not need to be creating paid instances)
49384500 (You do not have sufficient permissions to ssh into this instance)
do not have permission to ssh into this instance(
You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.
If the person has #gmail.com domain then he is an external user and needs to be given external user permission.
Go to IAM & Admin -> From the Project menu select All and click the top organization:
Add the Compute OS Login External User
Now under the project Add the following:
Add Project - Viewer
Add Compute Engine - Service Account User
[optional]Add Compute Engine -Compute View
**although the Compute View is optional to just ssh, but it does help the developer/programmer/intern to know what they are running and recommend configuration changes when program is ready for golive.
And finally we need to give permission at the instance level. So go to Compute Engine -> VM Instances -> Permissions -> Add Principal -> "Compute OS Admin Login" if you want them to use sudo or if just a regular user "Compute OS Login"
Open the instance, click edit and enable OS-Login under Metadata. Add the following
Key: enable-oslogin
Value: TRUE
Stop and start the instance. You need it for permission to take effect. During troubleshooting none of this worked until we restarted the instance, and magically fixed.
If you need to manage user access to your Linux VM instances, you can use one of the following methods:
OS Login
Managing SSH keys in metadata
Temporarily grant a user access to an instance
To give a user the ability to connect to a VM instance using SSH
without granting them the ability to manage Compute Engine resources,
add the user's public key to the project, or add a user's public key
to a specific instance. Using this method, you can avoid adding a user
as a project member, while still granting them access to specific
instances.
More information about granting users SSH to VM instances can be found here.
Regarding your question about the roles required and why, here is more information about granting access to an organization using Cloud IAM roles.
More information about Access control for users in Cloud compute Engine here.
About roles and permissions
If you need your employee to be able to see the project you need to grant the access to the project according to your needs.
The basic roles are owner, editor and viewer. Here you will find a more detailed explanation about roles and permissions using Cloud IAM to control the access for your project.
And in this page you will find a complete list of the roles and permissions included in Cloud compute engine.
On the other hand in this guide about setup OS login, the roles and permission required to complete the process are included. OS login is an option suitable to resolve your issue.
How may you enable a single IAM user to access a single VM via SSH or cloudshell?
I've tried every variation of Compute Admin permissions, along with a condition on the resource name (matching the VM name) and they are not adequate; i.e. - the users connection is always unexpectedly closed.
Cloud shell is also not available to the user.
The only way the user can access either resources is if they are granted the Owner role.
Here is a similar question, duplicate it if you want but it is unanswered (1 answer does not solve the problem), SSH into a VM instance managed by an Instance Group in GCP without Owner IAM permission on the project
You can try OS login. OS Login simplifies SSH access management by linking your Linux user account to your Google identity. Administrators can easily manage access to instances at either an instance or project level by setting IAM permissions.
OS Login provides the following benefits:
Automatic Linux account lifecycle management
Fine grained authorization using Google IAM - Project and instance-level administrators can use IAM to grant SSH access to a
user's Google identity without granting a broader set of privileges.
For example, you can grant a user permissions to log into the system,
but not the ability to run commands such as sudo. Google checks these
permissions to determine whether a user can log into a VM instance.
Automatic permission updates
Ability to import existing Linux accounts
How to Setting up OS Login
You can apply the metadata values to your projects or VMs by using one
of the following options:
Option 1: Set enable-oslogin in project-wide metadata so that it applies to all the instances in your project.
In the Google Cloud Console, go to the Metadata page.
Click Edit.
Add a metadata entry, setting the key to enable-oslogin and the value to TRUE. Alternatively, set the value to FALSE to disable the
feature.
Click Save to apply the changes.
Option 2: Set enable-oslogin in the instance metadata of an existing instance.
In the Google Cloud Console, go to the VM instances page.
Click the name of the instance that you want to enable OS Login on.
On the instance details page, click Edit.
Under Custom metadata, add a metadata entry, setting the key to enable-oslogin and the value to TRUE. Alternatively, set the value to
FALSE to disable OS Login on the instance.
Option 3: Enable OS Login when you create an instance.
In the Cloud Console, go to the Create an instance page.
Expand Networking, disks, security, management, sole tenancy to reveal additional configuration options.
Expand the Security section.
Expand the Manage access section.
Select Control VM access through IAM permissions.
To create the VM, click Create.
If you want to use 2-step verification, please follow this link:
Setting up OS Login with 2-step verification.
You can try to grant following permissions to use IAP TCP forwarding
roles/iap.tunnelResourceAccessor
roles/compute.instanceAdmin.v1
https://cloud.google.com/iap/docs/using-tcp-forwarding
I have one person (a) who is in charge of administrating our Windows instances on Google Cloud and another person manages our Ubuntu instances. I want to allow the first person to have permission to start, stop, reset, change metadata / instance-size and login as admin on the Windows instances, but I don't want them to have access to perform those actions on any of the Ubuntu instances. All of the instances are part of the same project.
Is there any way to grant such permissions at an instance-level, without granting them for all instances in the project?
Google Compute Engine supports specifying the service account to use for the instance.
I recommend creating a new service account, assigning the Project Editor role and then assign that service account to instances that require this level of permission.
I do not recommend using Compute Engine Scopes to control permissions. Specify the desired roles for the service account, assign the service account to Compute Engine and specify "Allow full access to all Cloud APIs". The actual permissions will be controlled by the service account roles. Scopes are too granular in some cases.
I wrote an article that dives deeper into Compute Engine service accounts.
Google Cloud – Compute Engine Service Accounts
GCP allows one to provide fine grained permissions on Compute Engine instances. This appears to be well documented in the documentation found at:
Granting access to Compute Engine resources
At the highest level, we can assign permissions either through Cloud Console or through the gcloud command.
I was having trouble finding a way to do this because it is not available from the "IAM" section on Google Cloud. However, you can assign instance-specific roles and permissions form the Cloud Engine - VM Instances Page:
Go to the Computer Engine VM Instances page: https://console.cloud.google.com/compute/instances
Click the checkbox beside the instance(s) to which you want to assign instance-specific roles.
Click on "Show Info Panel".
On the "Info Panel" on the right side of the screen under "Permissions" click "Add Members".
Select the members / roles you want to assign and click "Save".
A client is trying to give me access to set up a Google Compute Engine instance. I have been given both Compute Admin and Compute Instance Admin (v1) roles. I can select her project when I log in to mine.
Further, I can access the Compute Engine area, which gives me the typical "Create", "Import", and "Take the Quickstart" options. When I click on "Create" I get the normal sidebar (new VM instance, new VM instance from template, and marketplace) but the form used to create does not appear and it's just the white background.
I've never had anyone give me access to their account so I am at a loss. I even had one of my other accounts give the other account access via the Computer Admin role and it worked fine. In other words, I had no problem giving the account access to one of my other accounts, but cannot seem to get access to her account.
A couple of things I have observed that may or may not be relevant:
I receive HTTP 403 responses for some resources when I try to access the page with the create instance form.
Her project is listed under "no organization".
She is using the free trial.
I have verified that the issue occurs in both Safari and Chrome.
Sorry I can't embed my images yet.
Verified my assigned roles via screenshot
Expected screen
Actual screen
It looks like permission issue, have you tried with the Role: "Compute Engine Admin Role" also grant the roles/iam.serviceAccountUser role to your account from the customer project take a look to the Google documentation
However how you shared from the screenshot with owner Role it should works.
Could you create a new project from the Client side then shared it to your account ?
I have a project on Google Cloud where in I have a few vm instances created.
I need to give someone access to only one of the instances
For now I have given them access to all the instances by adding them through IAM as
Compute Engine Instance Admin
Adding her as a default compute engine service account actor
But how do I change this to give them access to only one of the instances please ?
Thanks
It is possible to manually add their public SSH key to the machine: the
documentation can be found here.
You will generate a public/private key pair, format it, upload the public one to the machine and the user will be able to connect to the machine using the private one.
Then remove the Compute Engine Instance Admin role to take away her access to the other instances.
If you leave her role as default compute engine service account actor, she may assume the same rights as the service account, which by default is project editor.
The best way to limit this is create a new service account with only the scopes you wish to grant (perhaps access to Storage or some other APIs), set it as the service account for the instance and add the user as its actor. You can read more here.
The best practice to grant SSH to a User on GCP is :
Edit the VM instance, in the metadata section add
enable-oslogin=TRUE
On the project level add the roles Service Account User and Compute viewer to the user
On the instance level, on the panel of permissions: add the role Compute OS Admin Login or Compute OS Login to the user