Background
To ssh into VM instances in Google Compute Engine,i need to provide instanceAdmin Role to the user,which gives Admin Control to the User,that sometimes could be a security issue.
Query
Does Google Compute Engine provide any IAM Role,which will allow the User to SSH to instances,run programs on it but not have Admin Access(Not Provide instanceAdmin Role to User)??
Basic, predefined, and custom GCP IAM roles can help organizations delegate permissions and secure their data. Basic roles are fast and easy to set up, but offer less security than other role types. Predefined roles are built on the principle of least privilege, and therefore offer more security than basic roles.
An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it.
IAM Roles manage who has access to your AWS resources, whereas IAM policies control their permissions. A Role with no Policy attached to it won't have to access any AWS resources. A Policy that is not attached to an IAM role is effectively unused.
TL;DR - No, with the list of Google Compute engine (GCE) IAM roles provided, you cannot use IAM roles to achieve what you are asking.
The following roles allow SSH into GCE VMs:
Compute Engine Instance Admin
aka roles/compute.instanceAdmin.v1
Service account actor
aka roles/iam.serviceAccountActor
Since GCE uses metadata server to provision the SSH keys, you will need the permission compute.instances.setMetadata
to provision the keys. After the provisioning is done, you will have to use a custom mechanism of your own to distribute the keys.
In other words, you will have to take care of creating additional users yourself on the GCE instance with the desired permissions and controlling provisioning/distribution of the SSH keys to the desired user.
GCE provides tools to manage SSH keys using either the REST APIs or gcloud
.
Do read the following guides which explain the process in detail:
GCE will use the metadata server to provision the SSH keys and it is supported only on the following images which were created after Feb/Mar 2016.
- CentOS 6 and 7 February 10th, 2016
- Debian 8 February 10th, 2016
- openSUSE 13 February 10th, 2016
- RHEL 6 and 7 February 10th, 2016
- SUSE 11 and 12 March 1st, 2016
- Ubuntu 16.04 LTS and 14.04 LTS March 3rd, 2016
- Ubuntu 12.04 LTS March 29th, 2016
You can assign the Compute OS Login
and Service Account User
IAM role along with setting the enable-oslogin
metadata on the instance to true
.
https://cloud.google.com/compute/docs/instances/managing-instance-access
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With