Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Restricting user access for VM in gcp

Tags:

google-compute-engine

google-cloud-platform

google-cloud-iam

google-iam

Assume two users, A and B have full access to a GCP project. User A creates a VM. Once this is done , it appears user B can login into the VM and also has sudo access to the VM.

we used enable-oslogin metadata but we have issue where user a and b belong to same group, is there any other way so that i can restrict access for user B

like image 901
mo mo Avatar asked Mar 03 '20 09:03

mo mo

People also ask

What is difference between stop and suspend in GCP?

Suspending an instance differs from stopping an instance in the following ways: Suspended instances preserve the guest OS memory, device state, and application state. Google charges for the storage necessary to save instance memory. You can only suspend an instance for up to 60 days.

How do I change permissions for a service account in GCP?

Open the Service Accounts page in the GCP Console and select the required Project. Click on Create Service Account and enter a service account name and select a role with desired permissions for the service account. Note: Make a note of the email ID of the service account. Click Save.

1 Answers

As per docs you have 2 options.

  1. Managing Instance Access Using OS Login, this feature gives you more granular control over which users can connect to your instances and what level of permission they have. If you remove roles/compute.osLogin the user won't be able to access any VM in the project (docs).

  2. To grant an user access to specific instance over SSH only you can follow the below steps (docs):

  • Add that user to the project team with view access
  • Have that user generate the public SSH key using ssh-keygen and giving you that key
  • Going to the instances pane in the Compute Engine section of the Cloud Console, selecting the instance you want to grant user access
  • Click "Add metadata" and type in "sshKeys" for the key and ":" where username is the string in the user's account before the "@" and ssh key the key that the user generated in step 2.
like image 98
lukaszberwid Avatar answered Sep 18 '22 12:09

lukaszberwid
Sign in to Comment

Related questions

Auto scaling for Google container engine
docker login with root user on Container-VM Image
google cloud speech api returning empty result
GCP HTTP Load Balancer returns 502 error if POST data is large
ssh2 module fails silently with creds that succeed from CLI
Internal DNS address for Google Cloud internal load balancers
Google Pubsub: UNAVAILABLE: The service was unable to fulfill your request
Reset pg_stat_statements with Google Cloud SQL
Single service for multiple pods
How to send gzipped json response from Google Cloud Functions?
What is the secret to connecting remotely to SQL Server running on a Google Cloud VM?
How can I customize the entire email notification in Stackdriver Alerting?
Firebase Cloud Firestore unavailable in asia-south1 (Mumbai)?
What are the pros and cons of loading data directly into Google BigQuery vs going through Cloud Storage first?
How to fix errors when migrating Appengine app from old Google Plugin into Google Tools.?
Stackdriver logging from node with stdout/stderr
Migrate csv from gcs to postgresql
Enable CORS with Google IAP
ERROR: (gcloud.services.enable) User does not have permission to access project (or it may not exist): The caller does not have permission
Trying to simulate cell level TTL in bigtable but whole column family data is getting removed by garbage collection

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!