Menu
Been trying to figure this out but no luck thus far. Suprisingly difficult to achieve when compared to AWS.
I have a Google Cloud Platform (GCP) project with multiple Compute Instances and other services running.
I need to give root access to a single compute instance but not any other service to an external development team.
In the "Compute Engine" view when I select the instance and add the user as Compute Admin (Full control of all Compute Engine resources) but he still cannot ssh into the instance.
Try #1:
Got error: "Require compute.instance.get permission."
So I went and gave that user a Role which included that permission.
Try #2:
Got error "User does not have access to service account..."
Questions #1 What on earth needs to be done to just give a role access to single Compute Instance in GCP?
On AWS there is a specific Role that can be given a single resource access but this does seem to be the case here.
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
Thanks!
905
From the Google Cloud Platform Console, find “IAM & Admin” in the sidebar, and click on “IAM.” From here, click “Add” to bring up the invite dialog. Enter in the user's email. You can also choose to set a project-wide role, if you need to give them full read or write permissions.
Compute Admin role Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.
I had the same issue and found the solution. I´ll try to answer your questions:
Question #1: What on earth needs to be done to just give a role access to single Compute Instance in GCP?
You need to grant the user these permissions:
1- In the main IAM page, https://console.cloud.google.com/iam-admin/iam?project=your_project grant the user the "Compute Viewer" and "Service Account User" roles.
2- In the VMs page, https://console.cloud.google.com/compute/instances?folder=&organizationId=&project=your_project, select one or more VM´s and grant the user the "Compute Instance Admin (v1)" role.
Now the user can SSH into the VM.
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
In GCP there are Project-level and Resource-level permissions. The "Permissions" right sidebar in "Compute Engine" sets the permissions for a single resource.
Hope this helps!
97
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
