Google Cloud Compute Viewer allows to SSH while it should not

0
votes

I am trying to setup permissions on a per-instance level on our GCP infrastructure (for example, can SSH on machine A but not on machine B) using GCloud IAM permissions.

However, I came across a weird behavior.

If I add a user to the GCloud project with only the Compute Viewer permission, that user would be able to SSH on all the VM setup in the Compute Engine section.

This makes no sense as the documentation itself states that you can't SSH with the Compute Viewer: https://cloud.google.com/compute/docs/access/

Additionally, when I try to set permissions for each specific instance (by going in Compute Engine > VM Instances, selecting a specific instance and adding permissions from the permissions tab), those seem to have literally no effect.

Not sure if I missed something:

  • why does Compute Viewer allow for SSH?
  • why does per-instance permissions have no effect?
1
google-cloud-platformgoogle-compute-enginegoogle-iam
You don't even need a GCP account to SSH to a compute instance. All you need is the SSH keypair. You are confusing security mechanisms. - John Hanley
From my understanding, IAM allows controlling the SSH permissions as described in cloud.google.com/compute/docs/access, but with higher level granularity (so you are not just controlling SSH permissions). SSH using only ssh keys seem to require our own SSH management which seems to be discouraged by GCP as mentioned here cloud.google.com/compute/docs/instances/…. We also got issues with developers adding their own SSH keys and completely disrupting ability of others to SSH. - Simon Ninon
My comment was not about how to manage SSH access. My comment was to correct your invalid assumption that Google manages / controls SSH access. You can argue the correct way, but the fact is with SSH keys you can access the instance (firewall permitting). Experienced developers use SSH keys for many tasks that do not require GCP to manage our keys. There is no problem having multiple SSH keys, good security practices recommend a different SSH key for each user accessing an instance. The fact that some have problems is just that they do not understand how to implement and use SSH keys. - John Hanley
I'm confused. These developers added their own ssh key using the google documented way gcloud compute os-login ssh-keys add. When they did so, they were able to use their SSH key to ssh, but it did not last for long. In the meantime, all other users were not able to login correctly. This is consistent with what the documentation states by you risk disrupting the ability of your project members to connect to instances. Additionally, Google documentation recommend to use their own SSH key management mechanism (cloud.google.com/compute/docs/instances/#manage_access) - Simon Ninon
So, I understand your comment about manage vs authorization, the point being that Google also handles metadata propagation, including sshkey information, and manually managing sshkeys, even through their own console interface, seem to conflict with the automatically generated keys. That being said, it does not help with the two questions of my post - Simon Ninon

1 Answers

2
votes

You can manage SSH access at the instance level using OS login.

Compute Viewer access is not sufficient enough a privilege to SSH into a VM instance.

You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.

I just tested it as well to confirm and received the above error.

You might have assigned some other roles/permissions to your users that need to be reviewed in your project as the IAM role Compute Viewer is not enough.