Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

IAM Role to SSH to VM without Admin Priveleges

Tags:

google-compute-engine

google-cloud-platform

google-iam

Background

To ssh into VM instances in Google Compute Engine,i need to provide instanceAdmin Role to the user,which gives Admin Control to the User,that sometimes could be a security issue.

Query

Does Google Compute Engine provide any IAM Role,which will allow the User to SSH to instances,run programs on it but not have Admin Access(Not Provide instanceAdmin Role to User)??

like image 302
Rohan Avatar asked Jun 16 '17 07:06

Rohan

People also ask

What is the difference between identity and access management basic roles and IAM predefined roles?

Basic, predefined, and custom GCP IAM roles can help organizations delegate permissions and secure their data. Basic roles are fast and easy to set up, but offer less security than other role types. Predefined roles are built on the principle of least privilege, and therefore offer more security than basic roles.

What is the difference between IAM user and IAM role?

An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it.

What is the difference between IAM roles and policies?

IAM Roles manage who has access to your AWS resources, whereas IAM policies control their permissions. A Role with no Policy attached to it won't have to access any AWS resources. A Policy that is not attached to an IAM role is effectively unused.

2 Answers

TL;DR - No, with the list of Google Compute engine (GCE) IAM roles provided, you cannot use IAM roles to achieve what you are asking.

IAM roles for SSH key provisioning

The following roles allow SSH into GCE VMs:

Compute Engine Instance Admin aka roles/compute.instanceAdmin.v1 Service account actor aka roles/iam.serviceAccountActor

Provisioning SSH keys

Since GCE uses metadata server to provision the SSH keys, you will need the permission compute.instances.setMetadata to provision the keys. After the provisioning is done, you will have to use a custom mechanism of your own to distribute the keys.

In other words, you will have to take care of creating additional users yourself on the GCE instance with the desired permissions and controlling provisioning/distribution of the SSH keys to the desired user.

GCE provides tools to manage SSH keys using either the REST APIs or gcloud.

Do read the following guides which explain the process in detail:

  • SSH Keys
  • Adding and removing SSH keys
  • Provisioning the keys on the client side and connecting to the instance

Supported Images

GCE will use the metadata server to provision the SSH keys and it is supported only on the following images which were created after Feb/Mar 2016.

  • CentOS 6 and 7 February 10th, 2016
  • Debian 8 February 10th, 2016
  • openSUSE 13 February 10th, 2016
  • RHEL 6 and 7 February 10th, 2016
  • SUSE 11 and 12 March 1st, 2016
  • Ubuntu 16.04 LTS and 14.04 LTS March 3rd, 2016
  • Ubuntu 12.04 LTS March 29th, 2016
like image 182
Tuxdude Avatar answered Oct 25 '22 04:10

Tuxdude

You can assign the Compute OS Login and Service Account User IAM role along with setting the enable-oslogin metadata on the instance to true.

https://cloud.google.com/compute/docs/instances/managing-instance-access

like image 20
larsen161 Avatar answered Oct 25 '22 06:10

larsen161
Sign in to Comment

Related questions

How to create cron jobs in firebase programmatically
Google Cloud Run suitable to run Spring Boot?
VPN access to in-house network not working after GKE cluster upgrade to 1.14.6
/healthz route of an app deployed on Google App Engine returns 404
How to enable applications to send email from google container engine
Does Google Cloud SQL support JSON datatype?
Enabling web server access logs for a Google Cloud Storage bucket
Google Cloud Function : support for Google Cloud KMS
use region other than us-central1 for Google Cloud Functions
Does Bigquery support triggers?
What is the difference between Google Kubernetes Engine (GKE) and Google Compute Engine (GCE) in term of server management?
Google Cloud storage is not a function
Where to use Language hints in google-vision text-detection api?
How to copy files from colab or cloud storage to google drive?
Generate presigned url for uploading file to google storage using python
GCP - Impersonate service account as a user
How can I specify persistent volumes when defining a Kubernetes replication controller in Google Cloud?
Difference between the commands "gcloud compute ssh" and "ssh"
Performance is *way* too slow with pubsub push -> app engine
Unable to use google-cloud in a GAE app

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!