Reputation: 693
GCP: You do not have sufficient permissions to SSH into this instance
I have a (non-admin) account on one GCP project.
When I start the Dataproc cluster, GCP spins up 3 VMs. When I try to access one of the VM via SSH (in browser) I get the following error:
I tried to add recommended permissions, but I cannot add the iam.serviceAccounts.actAs permission.
Any idea how to solve this? I read through the GCP documentation, but I just cannot find the solution for this. I have the following roles associated with my account:
Upvotes: 7
Views: 14096
Answers (5)
Reputation: 48753
Official docs: https://cloud.google.com/compute/docs/instances/access-overview
For OS Login https://cloud.google.com/compute/docs/oslogin/set-up-oslogin :
roles/compute.osLogin, which doesn't grant administrator permissionsroles/compute.osAdminLogin, which grants administrator permissions
If you use IAP additionally you have to add: roles/iap.tunnelResourceAccessor, see https://cloud.google.com/iap/docs/managing-access
Upvotes: 0
Reputation: 370
Adding an ID under a role for a specific instance somehow did not work for us
However, when the same ID was assigned the same role under IAM, it worked
Upvotes: 0
Reputation: 4879
If from console you want to click the "SSH" button next to an instance but face this issue, you can grant the Service Account User role instead of Editor, and it should resolve this.
If you're using OS Login, you may need the Compute OS Login role as well, but SA user should work.
If you're using IAP, you may need the IAP-secured Tunnel User role (or roles/iap.tunnelResourceAccessor in CLI)
Before:
After adding Service Account User role:
If you want to access remotely, use a bastion and Cloud IAP tunnel. Here is an example setup/teardown (NAT and router optional if you want to configure your bastion or install packages)
Upvotes: 5
Reputation: 693
In the end, we managed to solve it by granting users the Editor permission on Compute Engine default service account. Not sure it is the right way but it seems to work.
Upvotes: 3
Reputation: 505
I believe the latest documentation on Compute Engine SSH access is here: https://cloud.google.com/compute/docs/instances/managing-instance-access
It seems that you have to enable OS Login on the specific instance(s) you want to SSH into.
Upvotes: 0
Related Questions
- GCP- SSH connection timed out
- Error 4003: can't ssh login into the instance that I created in google cloud platform
- gcloud compute config-ssh results in permission denied
- Cannot ssh into GCP instance
- GCP Compute Engine // Connection refused ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255]
- Compute Engine SSH: You do not have sufficient permissions to SSH into this instance
- Gcp ssh issue . Error :- connection refused
- Cannot SSH Google Cloud Instance -
- Unable to ssh on Google cloud instance
- google cloud platform SSH You need to be root to perform this command