0

I want to use OS Login with GCP because we use IAM for scoping access to all other resources within GCP (storage buckets, SQL, Redis, etc.). I understand how to restrict users from accessing machines using service accounts and roles.

But, I don't understand how to restrict the possible usernames that someone can use to SSH into our Compute Engine machines. Assume we have a VM configured with OS Login. The problem is that everyone connects using a CLI string like gcloud compute ssh $MACHINE_NAME which (possibly creates and then) logs in to a /home/$USER_DOMAIN_SUFFIX directory. So, the team's shell history, relevant home directory contents (downloaded files, created scripts, etc.), and running processes are all in a different scope (UID). We could soft-enforce that everyone does something like gcloud compute ssh $SPECIAL_USERNAME@$MACHINE_NAME where everyone uses the same $SPECIAL_USERNAME value. But, that doesn't prevent new home directories from being provisioned. It's a convention, not a software policy.

Is there a way to accomplish what I want, where I can freely choose the value of $SPECIAL_USERNAME? I don't want to be locked in to the generated usernames based on the user/service account email.

Using root for everything is unacceptable for a number of reasons (we want to use a non-root container runtime and we want to limit potential damage done by this $SPECIAL_USERNAME).

Improve this question
1

1 Answer 1

Reset to default
0

You can create an ssh key locally (with any username), and then add its public SSH key to a GCP project or instance(s) via the console. Just place ssh files on each computer that you plan on using to access the VM, and this will use only the username you've specified during the SSH key creation. If you have Linux virtual machine (VM) instances running on Google Cloud, you might need to share or restrict user or application access to your VMs. If you want to specify the username USER@]INSTANCE Specifies the instance to SSH into. USER specifies the username with which to SSH. If omitted, the user login name is used. If using OS Login, USER will be replaced by the OS Login user. INSTANCE specifies the name of the virtual machine instance to SSH into. Follow the Google Cloud documentation guide Managing SSH keys in metadata

Refer to Not to create a new user when I SSH into GCP compute engine for more information

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .