GCP: You do not have sufficient permissions to SSH into this instance

Question

I have a (non-admin) account on one GCP project.

When I start the Dataproc cluster, GCP spins up 3 VMs. When I try to access one of the VM via SSH (in browser) I get the following error:

I tried to add recommended permissions, but I cannot add the iam.serviceAccounts.actAs permission.

Any idea how to solve this? I read through the GCP documentation, but I just cannot find the solution for this. I have the following roles associated with my account:

Answer 1

If from console you want to click the "SSH" button next to an instance but face this issue, you can grant the Service Account User role instead of Editor, and it should resolve this.

If you're using OS Login, you may need the Compute OS Login role as well, but SA user should work.

If you're using IAP, you may need the IAP-secured Tunnel User role (or roles/iap.tunnelResourceAccessor in CLI)

Before:

After adding Service Account User role:

If you want to access remotely, use a bastion and Cloud IAP tunnel. Here is an example setup/teardown (NAT and router optional if you want to configure your bastion or install packages)