How to provide access to only one instance to users in Google Compute Engine

googlegoogle-cloud-platformgoogle-compute-engineservice-accounts

I'm trying to find a solution to provide an external worker access to an instance in our project but not all resources.

I have done some research and found two methods on how to do this.

First would be to provide the contractor a private key to ssh into the selected instance.

But I would like to try and use the other method which is to assign the service account user role for the contractor.

From what I understand with service accounts. They are declared as both a resource and an identity. I would have to create a new instance under a newly created service account with limited defined permissions.

[service account] >>> permissions >>> [instances]

[user] >>> service account user role >>> [service account]

so I think the service account user role is like a proxy for the service account. I have tried to assign permissions to the service account and assigned a user with the service account user role. I would think that after this was done that the user would have the permissions assigned on to the service account. But unfortunately that isn't the case and I would like some assistance.

Best Answer

Using a private key like you suggested would be the ideal solution here, as that is the only way to make sure your contractor won't have access to other instances or information about the status of your project. Nonetheless, what you described (SSH into a machine using a service account) can be done, and, indeed, service accounts are both an identity and a resource.

If you give a user the Service Account User role for a service account with the necessary permissions to SSH into a machine, that will allow the user to do just that. Keep in mind however that the minimum set of permissions this service account would require in order for this to work would allow the service account (and, consequently, the user too) to SSH into any Compute instance. This alone is an indicator that doing this won't give you the granularity you seem to want.

In order for the scenario you've conjured to be possible, you'd need to do the following:

Create a service account and give it the Service Account User role and 4 granular permissions, compute.instances.get, compute.instances.setMetadata, compute.projects.get, and compute.zoneOperations.get (you should probably create a custom role for these permissions). This can be done in the IAM & admin section of the Console;
Give the user itself some sort of permissions onto the project through the Console or gcloud. I'd suggest giving the Compute Viewer role;
Instruct the user to install the Google Cloud SDK and initialize it with their credentials;
Have the user SSH into the appropriate instance by using gcloud compute ssh SERVICE_ACCOUNT_USERNAME@INSTANCE_IP_OR_HOSTNAME --zone ZONE_OF_INSTANCE.

I'd suggest having the user SSH into the target machine through Cloud Shell, as it would avoid having to do step 3 altogether. Don't forget about firewall rules as well, as the public IPs assigned to Cloud Shell don't seem to fall under the common Google Public IP ranges.

Don't be surprised if you see a message like Updating project ssh metadata...failed. This is to be expected, as the service account only has permissions to add SSH keys into the metadata of instances.

Related Solutions

How to modify the existing access scope of a Google Cloud Platform service account

I believe eventually you will be able to do this using IAM permissions. At the moment I do not see the options to add Cloud DNS roles in the IAM Console. In order to authorize requests to Cloud DNS you must use one of the scopes describe in this article.

i.e.

https://www.googleapis.com/auth/ndev.clouddns.readwrite
https://cloud.google.com/dns/api/authorization

If you are using the default service account, the scope has to be defined during the VM creation in the scope flag.

i.e.

gcloud compute --project "Myproject" instances create "instance-8" --zone "us-central1-f" --machine-type "n1-standard-1" --network "default" --maintenance-policy "MIGRATE" --scopes default="https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/ndev.clouddns.readwrite" --image "/debian-cloud/debian-8-jessie-v20161020" --boot-disk-size "10" --boot-disk-type "pd-standard" --boot-disk-device-name "instance-8"

If you associated the VM to a non-default service account during its creation, you can add Editor or Owner permissions to that account in the IAM Console. Nevertheless this might provide a wider scope that the one you are looking for.

Security – How to require a sudo password on Google Compute Engine instances

You can limit the sudo access project wise through User Accounts feature which is currently in beta release. More information is mentioned here:

Root access

All Linux user accounts in your project are granted root access to your instances. By default, new Linux user accounts are added to the following user groups upon account creation:

gce-sudoers - Gives root access gce-users - General users group The gce-sudoers group is automatically maintained by the Cloud User Accounts service and contains every Linux user account in your project. If you wanted to restrict root access to certain accounts, remove the default policy at:

/etc/sudoers.d/gcua

Next, create your own group and add a configuration similar to the gcua file in the sudoers.d folder.

Best Answer

Related Solutions

How to modify the existing access scope of a Google Cloud Platform service account

Security – How to require a sudo password on Google Compute Engine instances

Related Topic