Granting SSH access to specific GCP Compute Engine instances

How to configure IAM roles for SSH-in-browser access from Google Cloud console for selected instances.

One of our customers has about 30 VMs in Compute Engine and their team of developers require regular SSH access to 4 instances. Their developers only use the SSH-in-browser from the Google Cloud console rather than their own public keys for access.

What the customer did was assign every developer the role of roles/compute.instanceAdmin.v1 as they couldn't find a narrower role. The unfortunately effect of this is that the developers have admin rights to every instance. This presents a security risk and also opens up potential for mistakes.

My team was tasked to review and recommend a better configuration.

Create custom IAM roles

What I did was create 2 custom IAM roles:

Compute Engine SSH General Role

This role gives the general ability to connect to a VM. It will be granted to the developer at the IAM level. I also added permissions so that the SSH-in-browser can use IAP TCP forwarding.

To allow the developers to conduct connectivity tests in cases when SSH connection doesn't work, as it sometime happens, I added the necessary connectivity test permissions.

The list of assigned permissions are:

iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
iap.tunnelDestGroups.accessViaIAP
iap.tunnelInstances.accessViaIAP
networkmanagement.connectivitytests.create
networkmanagement.connectivitytests.delete
networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.connectivitytests.rerun
networkmanagement.connectivitytests.setIamPolicy
networkmanagement.connectivitytests.update
resourcemanager.projects.get

Compute Engine SSH Instance Role

This role gives the specific ability to connect to a VM and will be granted to the developer at the VM level. It has only one assigned permission:

compute.instances.setMetadata

Assign the roles

Once the 2 custom roles are created, I removed the roles/compute.instanceAdmin.v1 role from the developers and assign these 2 roles instead:

  • Viewer
  • Compute Engine SSH General Role


This is how the granted roles for a developer looks like: image.png


At this point, the developers are missing the compute.instances.setMetadata permission and if they attempt an SSH connection to a VM, it will fail. To grant SSH-in-browser to any specific VM, just do the following:

  • Go to VM instances in Compute Engine.
  • Click on the instance and click SHOW INFO PANEL.
  • On the permissions tab in the info panel, click on ADD PRINCIPAL.
  • Add the developer and select the role Compute Engine SSH Instance Role.


Now the developers can view all VM instances and can connect by SSH to the required instances.