Reputation: 5817
GCP IAM Permissions/Conditionals for ssh into a a single compute box for a single IAM user
How may you enable a single IAM user to access a single VM via SSH or cloudshell?
I've tried every variation of Compute Admin permissions, along with a condition on the resource name (matching the VM name) and they are not adequate; i.e. - the users connection is always unexpectedly closed.
Cloud shell is also not available to the user.
The only way the user can access either resources is if they are granted the Owner role.
Here is a similar question, duplicate it if you want but it is unanswered (1 answer does not solve the problem), SSH into a VM instance managed by an Instance Group in GCP without Owner IAM permission on the project
Upvotes: 0
Views: 1830
Answers (2)
Reputation: 21
You can try to grant following permissions to use IAP TCP forwarding
roles/iap.tunnelResourceAccessor
roles/compute.instanceAdmin.v1
https://cloud.google.com/iap/docs/using-tcp-forwarding
Upvotes: 0
Reputation: 729
You can try OS login. OS Login simplifies SSH access management by linking your Linux user account to your Google identity. Administrators can easily manage access to instances at either an instance or project level by setting IAM permissions.
OS Login provides the following benefits:
Automatic Linux account lifecycle management
Fine grained authorization using Google IAM - Project and instance-level administrators can use IAM to grant SSH access to a
user's Google identity without granting a broader set of privileges.
For example, you can grant a user permissions to log into the system, but not the ability to run commands such as sudo. Google checks these permissions to determine whether a user can log into a VM instance.Automatic permission updates
Ability to import existing Linux accounts
How to Setting up OS Login
You can apply the metadata values to your projects or VMs by using one of the following options:
Option 1: Set enable-oslogin in project-wide metadata so that it applies to all the instances in your project.
- In the Google Cloud Console, go to the Metadata page.
- Click Edit.
- Add a metadata entry, setting the key to enable-oslogin and the value to TRUE. Alternatively, set the value to FALSE to disable the feature.
- Click Save to apply the changes.
Option 2: Set enable-oslogin in the instance metadata of an existing instance.
In the Google Cloud Console, go to the VM instances page.
Click the name of the instance that you want to enable OS Login on.
On the instance details page, click Edit.
Under Custom metadata, add a metadata entry, setting the key to enable-oslogin and the value to TRUE. Alternatively, set the value to FALSE to disable OS Login on the instance.
Option 3: Enable OS Login when you create an instance.
In the Cloud Console, go to the Create an instance page.
Expand Networking, disks, security, management, sole tenancy to reveal additional configuration options.
Expand the Security section.
Expand the Manage access section.
Select Control VM access through IAM permissions.
To create the VM, click Create.
If you want to use 2-step verification, please follow this link: Setting up OS Login with 2-step verification.
Upvotes: 0
Related Questions
- GCP - Deny Permissions for Specific Resources
- GCP limit service account to have conditional access to a single instance
- How give Cloud Shell only access in GCP
- gcloud compute ssh with local key & project restrictions
- Restricting user access for VM in gcp
- Grant someone access to only one of the instances on Google compute engine
- Limiting Access to GCP Resources with Google Identity and IAM
- Google Cloud Platform: Minimal IAM permissions for gcloud command
- IAM Role to SSH to VM without Admin Priveleges
- Google cloud platform, vm instance's ssh permission