6

Assume two users, A and B have full access to a GCP project. User A creates a VM. Once this is done , it appears user B can login into the VM and also has sudo access to the VM.

we used enable-oslogin metadata but we have issue where user a and b belong to same group, is there any other way so that i can restrict access for user B

Stephen
  • 8,508
  • 12
  • 56
  • 96
mo mo
  • 61
  • 3

1 Answers1

5

As per docs you have 2 options.

  1. Managing Instance Access Using OS Login, this feature gives you more granular control over which users can connect to your instances and what level of permission they have. If you remove roles/compute.osLogin the user won't be able to access any VM in the project (docs).

  2. To grant an user access to specific instance over SSH only you can follow the below steps (docs):

  • Add that user to the project team with view access
  • Have that user generate the public SSH key using ssh-keygen and giving you that key
  • Going to the instances pane in the Compute Engine section of the Cloud Console, selecting the instance you want to grant user access
  • Click "Add metadata" and type in "sshKeys" for the key and ":" where username is the string in the user's account before the "@" and ssh key the key that the user generated in step 2.
Stephen
  • 8,508
  • 12
  • 56
  • 96
lukaszberwid
  • 1,097
  • 7
  • 19