Grant someone access to only one of the instances on Google compute engine

Question

I have a project on Google Cloud where in I have a few vm instances created.

I need to give someone access to only one of the instances

For now I have given them access to all the instances by adding them through IAM as

1. Compute Engine Instance Admin
2. Adding her as a default compute engine service account actor

But how do I change this to give them access to only one of the instances please ?

Thanks

Answer 1

The best practice to grant SSH to a User on GCP is :

1. Edit the VM instance, in the metadata section add enable-oslogin=TRUE
2. On the project level add the roles Service Account User and Compute viewer to the user
3. On the instance level, on the panel of permissions: add the role Compute OS Admin Login or Compute OS Login to the user

Answer 2

It is possible to manually add their public SSH key to the machine: the documentation can be found here.
You will generate a public/private key pair, format it, upload the public one to the machine and the user will be able to connect to the machine using the private one.

Then remove the Compute Engine Instance Admin role to take away her access to the other instances.

If you leave her role as default compute engine service account actor, she may assume the same rights as the service account, which by default is project editor.
The best way to limit this is create a new service account with only the scopes you wish to grant (perhaps access to Storage or some other APIs), set it as the service account for the instance and add the user as its actor. You can read more here.