I wish to create a user with customized role in GCP for a Project
Roles were :
user can:
able to ssh all the servers in the project
monitor all the servers in the project
list all snapshots in the project
list all images in the project
User should don't have :
stop/delete the instances
view billing access
launch new instances
create/delete snapshot
create/delete images
create/remove firewall tags
Is it possible ?
If so what are all the permissions needs to be added under customized role
As mentioned by Graham Polley, you can definitely use the custom role to set permission according to your use case. You need to find appropriate permission and set accordingly. You can find this documentation that guides on how to create and manage custom roles. Note that, not all permissions are supported for the custom role. You can find the list of permissions and its associated support level (Supported, Testing, Not Supported) at this link.
Related
want to create infra in GCP using terraform whenever any new project create in ORG. I want to create only one Service Account and using that SA want to create infra for any future projects as well, I want to automate it using bitbucket pipeline.
Tried to resolve this by giving the org admin access to SA but its not working.
Is there any way for this ?
The Organization Administrator can do a lot of things but related to the administering the organization and not necessarily to manage resources like projects, VMs, etc.
For example, if you want the SA to be able to create projects you need the Project Creator role. Of course you want to add the necessary roles depending on what resources you want to manage.
In addition, I don't recommend to use the "All Mighty" Owner to manage your resources; instead use just the necessary ones (Read Least privilege)
I'd suggest to first read the documentation and understand the purpose of every GCP role.
How to Authorised all projects in GCP with single GCP SA for terraform
That is not possible. Each time a new project is created IAM bindings must be added to the project for the service account. Service accounts do not inherit rights.
I got an developer intern. I need him to access GCP paid VM Instance I created so he can start developing. He should have root access through sudo, and preferably his own username linux account so we can see his files when he clones repo's,installs services,etc.
He should not: have access to modify instance, no access to change discs or instance size, no access to any other resource. Just ssh and root inside a vm.
His account is under his personal email abc..#gmail.com
What exact permissions do I need to give him?
a) I used the default service account, but I could switch it to project specific service account that will soon also run cloud functions.
b) For google employees, there should really be a guide/tour for "grant access" that allows people who have less then 10 vm instances follow it to grant access properly without delay or compromising security. He is unable to do paid work :(.
Related:
52756755(why does he need compute admin role for a developer, I need him only to develop and not maintain the instance)
62925708 (why does the user need service account role? He does not need to be creating paid instances)
49384500 (You do not have sufficient permissions to ssh into this instance)
do not have permission to ssh into this instance(
You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.
If the person has #gmail.com domain then he is an external user and needs to be given external user permission.
Go to IAM & Admin -> From the Project menu select All and click the top organization:
Add the Compute OS Login External User
Now under the project Add the following:
Add Project - Viewer
Add Compute Engine - Service Account User
[optional]Add Compute Engine -Compute View
**although the Compute View is optional to just ssh, but it does help the developer/programmer/intern to know what they are running and recommend configuration changes when program is ready for golive.
And finally we need to give permission at the instance level. So go to Compute Engine -> VM Instances -> Permissions -> Add Principal -> "Compute OS Admin Login" if you want them to use sudo or if just a regular user "Compute OS Login"
Open the instance, click edit and enable OS-Login under Metadata. Add the following
Key: enable-oslogin
Value: TRUE
Stop and start the instance. You need it for permission to take effect. During troubleshooting none of this worked until we restarted the instance, and magically fixed.
If you need to manage user access to your Linux VM instances, you can use one of the following methods:
OS Login
Managing SSH keys in metadata
Temporarily grant a user access to an instance
To give a user the ability to connect to a VM instance using SSH
without granting them the ability to manage Compute Engine resources,
add the user's public key to the project, or add a user's public key
to a specific instance. Using this method, you can avoid adding a user
as a project member, while still granting them access to specific
instances.
More information about granting users SSH to VM instances can be found here.
Regarding your question about the roles required and why, here is more information about granting access to an organization using Cloud IAM roles.
More information about Access control for users in Cloud compute Engine here.
About roles and permissions
If you need your employee to be able to see the project you need to grant the access to the project according to your needs.
The basic roles are owner, editor and viewer. Here you will find a more detailed explanation about roles and permissions using Cloud IAM to control the access for your project.
And in this page you will find a complete list of the roles and permissions included in Cloud compute engine.
On the other hand in this guide about setup OS login, the roles and permission required to complete the process are included. OS login is an option suitable to resolve your issue.
In my GCP project, people have storage admin access. I want to restrict the person and give few members writing access in the GCP bucket. When I try to revoke the access it is saying cannot change access as it is inherited.
Any way to create custom access for a particular storage bucket in GCP. I have to make this for the AIRFLOW DAG bucket.
Custom roles cannot be recognized upwards on the resource hierarchy. For example, a role created at the project level cannot be used at the folder or organization level.
Similarily, custom roles cannot be recognized laterally. For example, a custom role created at the project level cannot be used in bindings in another project even if they are in the same folder or organization.
To use a custom role in different projects or different folders, customers have to create/define the roles at the parent organization level. Note that currently, a custom role cannot be created at the folder level.
For more information on custom roles you can check the public documentation.
I have given Compute Instance Admin(v1) Role with Type
1 compute.googleapis.com/Disk and
2 compute.googleapis.com/Instance
If the above roles are given then the user is not able to create anything, If I remove both conditions then the user is able to create everything like machine image, snapshot. I want to restrict to only instance and disk.
There's no such a role to fulfill your requirements right away, but you can go ahead and create a Custom IAM Role. I'd also recommend checking the IAM roles and permissions docs for Compute Engine itself.
Then, while there's no such a role for you, you can start by creating a custom role based on e.g. Compute Viewer role. You'll have to add IAM permissions related to compute.disks and compute.instances in order to allow using and creating VMs and disks.
There's no easy way to determine which permissions are required, but you can start creating VMs in the Web UI and check the audit logs for missing permissions. Here's ones that are definitely required (if your role is based on the Compute Viewer):
compute.disks.create
compute.disks.resize
compute.disks.use
compute.instances.reset
compute.instances.resume
compute.instances.setMetadata
compute.instances.start
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.use
compute.instances.setServiceAccount
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.networks.use
compute.networks.useExternalIp
Also, you'd need to give your user the Service Account User role, cause the VMs are created with a particular service account (the Compute Engine default service account is used by default).
Been trying to figure this out but no luck thus far. Suprisingly difficult to achieve when compared to AWS.
I have a Google Cloud Platform (GCP) project with multiple Compute Instances and other services running.
I need to give root access to a single compute instance but not any other service to an external development team.
In the "Compute Engine" view when I select the instance and add the user as Compute Admin (Full control of all Compute Engine resources) but he still cannot ssh into the instance.
Try #1:
Got error: "Require compute.instance.get permission."
So I went and gave that user a Role which included that permission.
Try #2:
Got error "User does not have access to service account..."
Questions #1
What on earth needs to be done to just give a role access to single Compute Instance in GCP?
On AWS there is a specific Role that can be given a single resource access but this does seem to be the case here.
Questions #2
Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
Thanks!
I had the same issue and found the solution. I´ll try to answer your questions:
Question #1: What on earth needs to be done to just give a role access to single Compute Instance in GCP?
You need to grant the user these permissions:
1- In the main IAM page, https://console.cloud.google.com/iam-admin/iam?project=your_project grant the user the "Compute Viewer" and "Service Account User" roles.
2- In the VMs page, https://console.cloud.google.com/compute/instances?folder=&organizationId=&project=your_project, select one or more VM´s and grant the user the "Compute Instance Admin (v1)" role.
Now the user can SSH into the VM.
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
In GCP there are Project-level and Resource-level permissions. The "Permissions" right sidebar in "Compute Engine" sets the permissions for a single resource.
Hope this helps!
In this link you will find the different ways you can add new users to your project and how to set access control for your Compute Engine resources.
Note: If you want to give a user SSH to virtual machine instances but prevent access to all APIs, add the user's SSH keys to the project or instance instead of adding the user to the project and granting them wide ranging permissions.
If you only want to grant users SSH access to VM instances, then you might add the user's public key to the project or add a user's public key to a specific instance. This is mentioned in link here.
Managing Instance Access Using OS Login, this feature gives you more granular control over which users can connect to your instances and what level of permission they have. For additional details, See this document.