GCP Development Server - VM accessible to only one person

Question

I want to automate the creation of development servers within my org's GCP account that are tied to an individual developer.

I intend to script the copying of relevant credentials (think crypto key for GitHub). How do I lockdown the VM so that only a single user can access it. GCP has options like block-project-ssh-keys but we've found that all users are still able to login using gcloud compute ssh.

I fear this may require a really complex IAM configuration.

1. Is there an easy way to accomplish this? (IAM or otherwise)
2. Has anyone seen a project that has automated this or something similar to this? (IAM provisioning of a new tag/group/etc. using a script when a new user joins the org)

Answer 1

1. Enable OS Login on the project, ideally by using an organizational policy constraint. OS Login automatically disables metadata-based SSH keys.
2. Grant OS Login roles individually per VM and user so that each user can only login to their own VM.
3. Either don't attach service accounts to the VMs at all, or create dedicated service accounts per VM. Then grant users the Service Account user role on "their" service account only.
4. Don't grant any Compute* roles beyond Compute Viewer on the project. In particular, don't grant Compute Admin or Compute Instance Admin, or any other role that lets users modify instance metadata (because that would let them alter startup and shutdown scripts).

Optionally:

3. Grant the users Compute Viewer on the project. That ensures that they can list VMs in the Cloud Console.
4. Only allow SSH access via IAP TCP forwarding, and grant the IAP-secured tunnel user role on a per-VM, per-user basis.