0

New to gcloud, need to admin a compute engine. I have the following roles:

  • Compute Admin
  • Service Account Admin
  • Organization Admin

Yet when I view the dashboard, the Compute Engine card says

"You do not have permission to see this card"

It was my understanding that "Compute Admin" gave me complete access to the resource. Why can't I view that card? If I click on "Go to Compute Engine" I get the compute engine console and can see the VM instances, yet when I click on the SSH dropdown I get a blank window. The dialog pops up

"Connecting... Transferring SSH keys to the VM"

which is then replaced with

"Connection Failed You cannot connect to the VM instance because of an unexpected error. Wait a few moments and then try again. (#15)"

If I do a tcpdump at the firewall on my end I see no traffic on port 22 coming or going. The problem occurs from both a system with a fixed IP and one with an ntp translated address. The problem occurs on both firefox and chrome, from both a freebsd and a windows system. I can SSH from these machines to another system.

I must be missing some other role(s)?

GaryA
  • 1
  • 1

1 Answers1

0

The Project Dashboard belongs to the whole project, therefore you need at least a Project Viewer primitive role to view its contents (or Project Editor or Project Admin to edit):

Cloud IAM > Doc > Understanding roles > Primitive roles

Compute Engine > Doc > Access control overview > Granting users SSH access to VM instances explains which permissions are needed to access instances via SSH:

To give a user the ability to connect to a VM instance using SSH without granting them the ability to manage Compute Engine resources, add the user's public key to the project, or add a user's public key to a specific instance. Using this method, you can avoid adding a user as a Project member, while still granting them access to specific instances.
To learn more about SSH and managing SSH keys, read the SSH keys overview.
Note that if you grant the roles/compute.instanceAdmin.v1 role to a project member, they can automatically connect to instances using SSH, as long as the instance is not set up to run as a service account. If the instance is set up to run as a service account, you must also grant the roles/iam.serviceAccountUser role before the member can connect to the instance. If you add a member as a Project Owner or Editor, they also automatically have SSH access to VM instances in the project.

Please make sure that ingress traffic to the port 22 is enabled. 

GCP Console => VPC network => Firewall rules

There should be a firewall rule, for instance for the Default network type this is default-allow-ssh, that allows SSH ingress traffic to TCP port 22 from anywhere (0.0.0.0/0).

You can create such a rule manually: 

GCP Console => VPC network => Firewall rules => Create Firewall Rule 
  Name:     my-allow-ssh
  Network:  mynet
  Targets:  All instances in the network
  Source filter:    IP Ranges
  Source IP ranges:     0.0.0.0/0 
  Protocols and ports:  Specified protocols and ports
    tcp: ports 22

If you can connect to other than one instance, it could be that VPC firewall rule uses Network tags to distinguish targets. You should check that for an instance you can connect to: 

GCP Console => Compute Engine => VM instances => my-instance-name => Network tags

and then seek for that tags in the existing firewall rules: 

GCP Console => VPC network => Firewall rules => my-ssh-enable => Targets => Target tags

Then you should tag the VM instance you want to connect to with that network tag: 

GCP Console => Compute Engine => VM instances => my-instance-name => Edit => Network tags

As for the "unexpected error", it makes sense to follow the directive from the message and "try again" later. It could be an intermittent error.

mebius99
  • 404
  • 2
  • 6
  • The default port 22 rule exists. There is only one VM instance. The error is persistent. When I said "When I click on the SSH dropdown, I get a blank window" I meant the SSH window opens, but is blank and stays blank with the error dialogs superimposed on it (as opposed to the SSH dropdown menu being blank). – GaryA May 17 '20 at 16:21
  • Did granting Project Viewer role solve the issue with the Project Dashboard? – mebius99 May 18 '20 at 14:06
  • I ended up getting project.owner so can't say whether viewer would work or not. But I don't even see a projectViewer or project.viewer role in the list @ https://cloud.google.com/iam/docs/understanding-roles. That also solved the SSH issue, so there was clearly some other role I needed to be able to log in. Maybe compute.osLogin or compute.osAdminLogin – GaryA May 18 '20 at 22:22
  • Links to the documentation and relevant quotes are added to the post. – mebius99 May 20 '20 at 08:37