Reputation: 61
SSH access to GCP VM
I'm using the CLI of the Cloud Sdk Docker image (google/cloud-sdk:latest), through a GitLab pipeline, in order to:
- Instantiate a VM (with no external IP)
- SSH connect to the VM
The VM is instantiating and running OK, and I can ssh it through the Cloud Shell terminal. Now, when I want to SSH it with the CLI on the GitLab pipeline, I get the error: root@compute.(..): Permission denied (publickey)..
So I ran the command with --troubleshoot option:
gcloud beta compute ssh --zone $CLOUDSDK_COMPUTE_ZONE $VM_NAME --project $CLOUDSDK_CORE_PROJECT --troubleshoot
and I got:
External IP address was not found; defaulting to using IAP tunneling. Starting ssh troubleshooting for instance https://compute.googleapis.com/compute/beta/projects/(...) in zone europe-west1-b' Start time: 2021-11-23 11:15:17.120669 ---- Checking network connectivity ---- The troubleshooting tool needs permission to check the VM's network connectivity. Is it OK to run
this test? (Y/n)? Enabling service
[networkmanagement.googleapis.com] on project [(...)]... Your source IP address is (...) Network Connectivity Test Result:
REACHABLE EndpointInfo <EndpointInfo destinationIp: '(...)' destinationNetworkUri:
'projects/(...)/global/networks/default' destinationPort: 22 protocol: 'TCP' sourceIp: '(...)' sourcePort: 56948> Initial state: packet originating from Internet. START_FROM_INTERNET
Forwarding state: arriving at a Compute Engine instance.
ARRIVE_AT_INSTANCE Config checking state: verify INGRESS firewall rule. APPLY_INGRESS_FIREWALL_RULE
Final state: packet delivered to instance. DELIVER
---- Checking user permissions ---- User permissions: 0 issue(s) found.
---- Checking VPC settings ---- VPC settings: 0 issue(s) found.
---- Checking VM status ---- VM status: 0 issue(s) found.
---- Checking VM boot status ---- VM boot: 0 issue(s) found.
The thing is that no issue is found from the network connectivity tests. What can I check additionally to find out what's wrong?
Thanks for the help,
Guilhem.
Upvotes: 3
Views: 2169
Answers (1)
Reputation: 61
The missing piece in my GCP configuration was the configuration of OS Login. So I added the following instruction:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
and was able then to connect to SSH to the Google VM.
As a recap, to connect to my GCP VM with no external address, I needed to:
- Enable
IAP-Secured Tunnel Userfor the service account in IAM - Define a firewall ingress rule to allow SSH (allow-ssh-ingress-from-iap)
- Activate oslogin, with
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE - Set compute zone and compute region
Upvotes: 3
Related Questions
- Why am I Unable to Access a Google Compute Engine VM?
- setting up global gcp vm
- Cannot ssh into GCP instance
- Can't access VM Instance through SSH
- Problems connecting ssh to GCP's compute engine
- Cannot ssh to Google Cloud VM Instance
- cannot ssh to Google VM Engine
- How to SSH into compute-engine?
- GCE SSH Access to VM Instance
- ssh to my compute engine machine