Photo by Avi Richards on Unsplash
Granting SSH access to specific GCP Compute Engine instances
How to configure IAM roles for SSH-in-browser access from Google Cloud console for selected instances.
One of our customers has about 30 VMs in Compute Engine and their team of developers require regular SSH access to 4 instances. Their developers only use the SSH-in-browser from the Google Cloud console rather than their own public keys for access.
What the customer did was assign every developer the role of roles/compute.instanceAdmin.v1 as they couldn't find a narrower role. The unfortunately effect of this is that the developers have admin rights to every instance. This presents a security risk and also opens up potential for mistakes.
My team was tasked to review and recommend a better configuration.
Create custom IAM roles
What I did was create 2 custom IAM roles:
Compute Engine SSH General Role
This role gives the general ability to connect to a VM. It will be granted to the developer at the IAM level. I also added permissions so that the SSH-in-browser can use IAP TCP forwarding.
To allow the developers to conduct connectivity tests in cases when SSH connection doesn't work, as it sometime happens, I added the necessary connectivity test permissions.
The list of assigned permissions are:
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
iap.tunnelDestGroups.accessViaIAP
iap.tunnelInstances.accessViaIAP
networkmanagement.connectivitytests.create
networkmanagement.connectivitytests.delete
networkmanagement.connectivitytests.get
networkmanagement.connectivitytests.getIamPolicy
networkmanagement.connectivitytests.list
networkmanagement.connectivitytests.rerun
networkmanagement.connectivitytests.setIamPolicy
networkmanagement.connectivitytests.update
resourcemanager.projects.get
Compute Engine SSH Instance Role
This role gives the specific ability to connect to a VM and will be granted to the developer at the VM level. It has only one assigned permission:
compute.instances.setMetadata
Assign the roles
Once the 2 custom roles are created, I removed the roles/compute.instanceAdmin.v1 role from the developers and assign these 2 roles instead:
- Viewer
- Compute Engine SSH General Role
This is how the granted roles for a developer looks like:
At this point, the developers are missing the compute.instances.setMetadata permission and if they attempt an SSH connection to a VM, it will fail. To grant SSH-in-browser to any specific VM, just do the following:
- Go to VM instances in Compute Engine.
- Click on the instance and click SHOW INFO PANEL.
- On the permissions tab in the info panel, click on ADD PRINCIPAL.
- Add the developer and select the role Compute Engine SSH Instance Role.
Now the developers can view all VM instances and can connect by SSH to the required instances.