Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IAM Role to SSH to VM without Admin Priveleges

Background

To ssh into VM instances in Google Compute Engine,i need to provide instanceAdmin Role to the user,which gives Admin Control to the User,that sometimes could be a security issue.

Query

Does Google Compute Engine provide any IAM Role,which will allow the User to SSH to instances,run programs on it but not have Admin Access(Not Provide instanceAdmin Role to User)??

like image 302
Rohan Avatar asked Jun 16 '17 07:06

Rohan


People also ask

What is the difference between identity and access management basic roles and IAM predefined roles?

Basic, predefined, and custom GCP IAM roles can help organizations delegate permissions and secure their data. Basic roles are fast and easy to set up, but offer less security than other role types. Predefined roles are built on the principle of least privilege, and therefore offer more security than basic roles.

What is the difference between IAM user and IAM role?

An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it.

What is the difference between IAM roles and policies?

IAM Roles manage who has access to your AWS resources, whereas IAM policies control their permissions. A Role with no Policy attached to it won't have to access any AWS resources. A Policy that is not attached to an IAM role is effectively unused.


2 Answers

TL;DR - No, with the list of Google Compute engine (GCE) IAM roles provided, you cannot use IAM roles to achieve what you are asking.

IAM roles for SSH key provisioning

The following roles allow SSH into GCE VMs:

Compute Engine Instance Admin aka roles/compute.instanceAdmin.v1 Service account actor aka roles/iam.serviceAccountActor

Provisioning SSH keys

Since GCE uses metadata server to provision the SSH keys, you will need the permission compute.instances.setMetadata to provision the keys. After the provisioning is done, you will have to use a custom mechanism of your own to distribute the keys.

In other words, you will have to take care of creating additional users yourself on the GCE instance with the desired permissions and controlling provisioning/distribution of the SSH keys to the desired user.

GCE provides tools to manage SSH keys using either the REST APIs or gcloud.

Do read the following guides which explain the process in detail:

  • SSH Keys
  • Adding and removing SSH keys
  • Provisioning the keys on the client side and connecting to the instance

Supported Images

GCE will use the metadata server to provision the SSH keys and it is supported only on the following images which were created after Feb/Mar 2016.

  • CentOS 6 and 7 February 10th, 2016
  • Debian 8 February 10th, 2016
  • openSUSE 13 February 10th, 2016
  • RHEL 6 and 7 February 10th, 2016
  • SUSE 11 and 12 March 1st, 2016
  • Ubuntu 16.04 LTS and 14.04 LTS March 3rd, 2016
  • Ubuntu 12.04 LTS March 29th, 2016
like image 182
Tuxdude Avatar answered Oct 25 '22 04:10

Tuxdude


You can assign the Compute OS Login and Service Account User IAM role along with setting the enable-oslogin metadata on the instance to true.

https://cloud.google.com/compute/docs/instances/managing-instance-access

like image 20
larsen161 Avatar answered Oct 25 '22 06:10

larsen161