问题
When setting up the OS Login on one GCE instance I get a Permission denied
message for a new user of the project.
As per the Google Cloud documentation on OS Login, I've set metadata to enable-oslogin TRUE
, and the permission for the user in the instance to roles/compute.osLogin
, as there's no further Organization or service account required in this test case. Firewall rules are OK too.
I've enabled the role Project Editor
and it works, but I don't want the user to be an Editor
nor a Viewer
, just to SSH into the instance and manage it with Cloud IAM.
This is the error I'm seeing:
DEBUG: Executing command: [u'/usr/bin/ssh', u'-t', u'-i', u'/home/test/.ssh/google_compute_engine', u'-o', u'CheckHostIP=no', u'-o', u'HostKeyAlias=compute.xxxxx', u'-o', u'IdentitiesOnly=yes', u'-o', u'StrictHostKeyChecking=no', u'-o', u'UserKnownHostsFile=/home/test/.ssh/google_compute_known_hosts', u'test_com@xx.xx.xx.xx']
Permission denied (publickey).
DEBUG: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
Traceback (most recent call last):
File "/google/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 981, in Execute
resources = calliope_command.Run(cli=self, args=args)
File "/google/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py", line 807, in Run
resources = command_instance.Run(args)
File "/google/google-cloud-sdk/lib/surface/compute/ssh.py", line 262, in Run
return_code = cmd.Run(ssh_helper.env, force_connect=True)
File "/google/google-cloud-sdk/lib/googlecloudsdk/command_lib/util/ssh/ssh.py", line 1258, in Run
raise CommandError(args[0], return_code=status)
CommandError: [/usr/bin/ssh] exited with return code [255].
ERROR: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
回答1:
Adding below IAM roles solves it, so it requires the SA role as well, something not very clear from the Google Cloud documentation.
Compute OS Login
Role
Access to log in to a Compute Engine instance as a standard (non-administrator) user.
Service Account User
Role
Run operations as the service account.
回答2:
You can grant the roles/compute.osLogin
or roles/compute.osAdminLogin
roles at the instance level by using the gcloud beta compute instances add-iam-policy-binding command
Please refer the Google Docs
回答3:
If the user is for a Gmail, Yahoo,etc, not with the organization syntax, it is considered as external user, so you need to set the permission roles/compute.osLoginExternalUser at organization level to the user.
It should work once it has the role for external user set.
来源:https://stackoverflow.com/questions/59718724/google-cloud-compute-engine-os-login-permission-denied-issue