问题
Right now everyone can access absolutely any server in GCE so long as they have GCE access. The gcloud comput ssh command can ssh into any server.
How do I make sure that only the person that created the server has access?
回答1:
It is possible to implement access control to instances based on GCE IAM roles via OS Login:
After you enable OS Login on one or more instances in your project, those instances accept connections only from user accounts who have the necessary IAM roles in your project or organization:
As an example, you might grant instance access to your users with the following process:
Grant the necessary instance access roles to the user. Users must have the following roles:
- The
iam.serviceAccountUserrole.- One of the following login roles:
- The
compute.osLoginrole, which does not grant administrator permissions- The
compute.osAdminLoginrole, which grants administrator permissions
But note that not all GCE image families have OS Login support:
The following image families do not yet support OS Login:
- All project coreos-cloud (CoreOS) image families
- Project suse-cloud (SLES) image family sles-11
- All Windows Server and SQL Server image families
来源:https://stackoverflow.com/questions/50795302/how-do-i-allow-access-to-gce-to-only-the-dev-that-created-the-server