Is it possible to restrict only the delete GCE instance permission from a specific user for a specific instance?
I want this user to have the permissions for creating and editing a specific instance, but not to deleting.
Thanks in advance.
2
votes
I don't think this is possible because Google Cloud IAM does not currently support custom roles. Right now you are limited to the legacy Owner/Editor/Viewer roles and some additional curated IAM roles (that may be in beta), for example: cloud.google.com/compute/docs/access/iam. It's also not clear if the (presumed) custom roles of the future would actually support your particular use case (where the permissions are conditional upon the instance name or instance tags) - you might have to engineer this separation through projects.
- jarmod
1 Answers
1
votes
As you want to restrict delete permission only from a specific user, you can create a custom role following this document and restrict users who will be assigned that role from deleting by removing the permission to delete.
Also, it is possible to use compute engine IAM roles that are already defined and does not allow the user to delete the instance. However, this will give extra access which you might not want the user to have.
Keep in mind the above procedures will modify user access project wide. Thus, to grant an user access to one specific instance only; you can follow the below steps.
- Add that user to the project team with view access
- Have that user generate the public SSH key using ssh-keygen and giving you that key
- Going to the instances pane in the Compute Engine section of the Cloud Console, selecting the instance you want to grant user access
- Click "Add metadata" and type in "sshKeys" for the key and ":" where username is the string in the user's account before the "@" and ssh key the key that the user generated in step 2.
I hope this helps.
