Been trying to figure this out but no luck thus far. Suprisingly difficult to achieve when compared to AWS.
I have a Google Cloud Platform (GCP) project with multiple Compute Instances and other services running.
I need to give root access to a single compute instance but not any other service to an external development team.
In the "Compute Engine" view when I select the instance and add the user as Compute Admin (Full control of all Compute Engine resources) but he still cannot ssh into the instance.
Try #1:
Got error: "Require compute.instance.get permission."
So I went and gave that user a Role which included that permission.
Try #2:
Got error "User does not have access to service account..."
Questions #1 What on earth needs to be done to just give a role access to single Compute Instance in GCP?
On AWS there is a specific Role that can be given a single resource access but this does seem to be the case here.
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
Thanks!
I had the same issue and found the solution. I´ll try to answer your questions:
Question #1: What on earth needs to be done to just give a role access to single Compute Instance in GCP?
You need to grant the user these permissions:
1- In the main IAM page, https://console.cloud.google.com/iam-admin/iam?project=your_project grant the user the "Compute Viewer" and "Service Account User" roles.
2- In the VMs page, https://console.cloud.google.com/compute/instances?folder=&organizationId=&project=your_project, select one or more VM´s and grant the user the "Compute Instance Admin (v1)" role.
Now the user can SSH into the VM.
Questions #2 Also what is the purpose of the "Permissions" right sidebar in "Compute Engine" view if that doesn't actually give any permissions.
In GCP there are Project-level and Resource-level permissions. The "Permissions" right sidebar in "Compute Engine" sets the permissions for a single resource.
Hope this helps!
In this link you will find the different ways you can add new users to your project and how to set access control for your Compute Engine resources.
Note: If you want to give a user SSH to virtual machine instances but prevent access to all APIs, add the user's SSH keys to the project or instance instead of adding the user to the project and granting them wide ranging permissions.
If you only want to grant users SSH access to VM instances, then you might add the user's public key to the project or add a user's public key to a specific instance. This is mentioned in link here.
Managing Instance Access Using OS Login, this feature gives you more granular control over which users can connect to your instances and what level of permission they have. For additional details, See this document.
来源:https://stackoverflow.com/questions/52756755/how-to-give-access-to-single-compute-instance-on-gcp