I've got a CoreOS cluster running on GCE and one issue that I've noticed with all GCE instances is that as long as you're auth'd with the project on Google Cloud platform, you can login in as pretty much anything on the servers. This is an issue for me because anyone on the team, or anyone who gets into the project, can ssh right in as anyone to the server. I would like to disable this and just use users I've created in my cloud-config file that have specified ssh keys and passwords that expire. In doing this, I'm curious how google creates the users on GCE? And has anyone found a way to disable this?
How does google compute engine create users and how to disable them
coreosgoogle-cloud-platformgoogle-compute-enginessh-keysuser-management
Best Answer
You can prevent a GCE instance from adding accounts by ensuring the google-account-manager service does not run. On CoreOS you can stop this service with
sudo systemctl stop google-accounts-manager.serviceand then disable it permanantly withsudo systemctl disable google-accounts-manager.service.You may want to make an image with the service pre-disabled (or even delete the unit file) so that when you create instances it doesn't create accounts before you disable the service.