3

In my GCP project, as a project owner SSH option is enabled on browser for me on an VM instance with NO External IP but Not for other users who have Compute Admin and with "roles/iam.serviceAccountUser" to compute service account. The same users are able to SSH via browser and using Cloud IAP in shell to instances with External IPs.

Even if the instance is created by the User, he is not having the browser SSH enabled and it is enabled for the project owner.

What configuration is allowing the project owner role to have the browser SSH enabled for instances with NO External IP, and disabled for other users?

I have gone through google documentation on SSH, permissions etc. Everywhere, it says ways to access the instances with no external IP, which is helpful if owner also cannot SSH from browser. I understand we can SSH other ways to the instances. I would like to know what permission/role enabled an owner to SSH from browser.

Thanks, Praveen

Praveen
  • 31
  • 2

1 Answers1

4

GCP SSH from the browser to instances without an external IP only works in a couple configurations. From the documentation:

Connecting to instances that don't have an external IP address. If your Compute Engine instance only has an internal IP address, use one of the following options to connect:

  1. SSH from the browser with configured Identity-Aware Proxy TCP forwarding. If an instance with no external IP is configured to allow TCP tunneling through IAP, you can also connect to the instance using SSH from the browser.

  2. SSH from the browser with bastion host. Use SSH from the browser to connect to the bastion instance that has an external IP address. From the bastion instance, connect to the target instance that only has an internal IP address. ssh -A internal-ip

First option is a GCP provided TCP proxy that they also made work with browser SSH.

Second is a shell box you run, that is reachable by both the perimeter and the inside networks. Also known as a bastion host.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34