Reputation: 529
Issue with `constraints/compute.disableSshInBrowser` Not Effectively Blocking SSH-in-Browser Access in GCP
Issue Summary
Despite enforcing the constraints/compute.disableSshInBrowser policy in our Google Cloud Platform (GCP) organization, I am encountering an unexpected behavior where SSH-in-browser access to instances is still possible. This policy is intended to disable the SSH-in-browser tool in the Cloud Console, and it is correctly applied and active on the relevant projects.
Detailed Description
The organization policy constraints/compute.disableSshInBrowser is set to enforce the restriction of SSH access via the browser. This policy, when enforced, should ideally disable the SSH-in-browser button in the Cloud Console, making it impossible to initiate SSH sessions in this manner. However, I have observed that despite this policy being active and correctly set up in our GCP organization, it is still possible to initiate SSH sessions to instances via the browser.
Steps to Reproduce
- Confirm that
constraints/compute.disableSshInBrowseris enforced in the organization policy. - Navigate to the Cloud Console.
- Attempt to initiate an SSH session to an instance via the SSH-in-browser tool.
- Observe that the session is successfully established despite the policy.
Expected Behavior
With the constraints/compute.disableSshInBrowser policy enforced, any attempts to use the SSH-in-browser tool should be blocked, and the SSH-in-browser button in the Cloud Console should be disabled.
Actual Behavior
The SSH-in-browser tool remains accessible, and SSH sessions can be initiated despite the policy being enforced.
Impact
This issue poses a significant security concern, as it allows for SSH access methods that the organization's policy explicitly intends to restrict. It undermines the policy enforcement mechanism in GCP and potentially exposes the organization to unauthorized access risks.
Additional Information
- The policy is confirmed to be in an enforced state.
- This issue has been replicated across multiple projects within the organization.
- No exemptions have been set for any projects or instances that could override this policy.
Request
I am seeking assistance from the GCP community to understand the root cause of this issue and to find a solution to ensure that the constraints/compute.disableSshInBrowser policy is effectively enforced across all applicable projects in our organization.
Upvotes: 1
Views: 196
Answers (1)
Reputation: 3220
SSH Browser is still accessible even if policy constraints/compute.disableSshInBrowser is enabled it’s because The disableSshInBrowser was introduced for a few customers to comply with data sovereignty requirements as a temporary measure, but now has been deprecated and currently there is no way to disable SSH in the browser.
Also, this is a known issue which is already faced by multiple customers and the issue is raised in PIT, Seems the team is working on this issue. You can follow this public issue tracker for further updates on this issue.
Upvotes: 2
Related Questions
- Issue with VPC Service Controls and Ingress Policy on Google Cloud
- Google Cloud Platform lists project under "No organization", but it is not correct
- Can you force SSH in browser to tunnel through IAP for instances with an external IP?
- Is the IP address the same when logging in via SSH in GCP VM instance through the browser?
- Can ssh to GCP Private instance but cant access application interface through cloud shell
- GCP - OS Login works through the Console SSH browser but not through Cloud Shell
- GCP browser ssh stops working after a week or so
- Create and setup GCP VM's with ansible, ssh Permission denied (publickey)
- why I can't ssh into the instance with hostname in GCP?
- Unable to view GCP Organization Policy Page