How to give access to "VM Instances" to the intern? with @gmail.com email address (GCP)

Question

I got an developer intern. I need him to access GCP paid VM Instance I created so he can start developing. He should have root access through sudo, and preferably his own username linux account so we can see his files when he clones repo's,installs services,etc.

He should not: have access to modify instance, no access to change discs or instance size, no access to any other resource. Just ssh and root inside a vm. His account is under his personal email abc..@gmail.com

What exact permissions do I need to give him?

a) I used the default service account, but I could switch it to project specific service account that will soon also run cloud functions.

b) For google employees, there should really be a guide/tour for "grant access" that allows people who have less then 10 vm instances follow it to grant access properly without delay or compromising security. He is unable to do paid work :(.

52756755(why does he need compute admin role for a developer, I need him only to develop and not maintain the instance)
62925708 (why does the user need service account role? He does not need to be creating paid instances)
49384500 (You do not have sufficient permissions to ssh into this instance)
do not have permission to ssh into this instance( You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.

Stackoverflow is oriented towards programming (not admin) questions. Have a look at [OS Login](https://cloud.google.com/compute/docs/oslogin) and see the instructions [Configure OS Login roles on user accounts](https://cloud.google.com/compute/docs/oslogin/set-up-oslogin) which describes enabling OS Login, configuring it for specific VMs and enabling external users. You will need to grant the user `serviceAccountUser` role on Service Accounts that control resources (e.g. Cloud Functions, Cloud Build, Cloud Repos etc.) that are used. — DazWilkin, Apr 05 '22 at 16:13
Rather than create a one-off solution for this intern, consider generalizing the solution using perhaps an "Interns" group that provides foundational capabilities. — DazWilkin, Apr 05 '22 at 16:13
1) Review the roles assigned to the Compute Engine attached services account. All users will have those permissions when running code inside a VM. 2) Review how to create a Linux user and add an SSH key. 3) Regarding your comment. Creating Linux users is Linux 101 administration. There are many documents and guides on the Internet. When it comes to creating secure environments, cookbooks do not help you unless you have **experience**. — John Hanley, Apr 05 '22 at 18:29
Yes. Reading more docs it does look like one could in theory assign the access to google group called interns,etc.. but the question still stands. We do need him to access and see vm instance specs an recommend changes as he progresses through development, or when runs into a problem: https://console.cloud.google.com/compute/instancesDetail/zones/us-central1-a/instances/programming-intern-1?project=myproject The closes right now I got is: https://youtu.be/tKkqL7VJju4 The best case would be to get him to web interface and having him click SSH. Done. compute.instance.get — Lucas S., Apr 05 '22 at 20:17
@LucasS. Welcome to Stack Overflow! In addition to the advice provided above from Daz Wilkin I recommend you to take some time to read the following: [How do I write a good answer?](https://stackoverflow.com/help/how-to-answer), [What does it mean if a question is "closed"?](https://stackoverflow.com/help/closed-questions) related to the downvote to your question, [What should I do when someone answers my question?](https://stackoverflow.com/help/someone-answers) and [Privileges](https://stackoverflow.com/help/privileges). — Hector Martinez Rodriguez, Apr 07 '22 at 01:45

score 2 · Accepted Answer · edited Apr 12 '22 at 16:59

If the person has @gmail.com domain then he is an external user and needs to be given external user permission. Go to IAM & Admin -> From the Project menu select All and click the top organization:

Add the Compute OS Login External User

Now under the project Add the following:

Add Project - Viewer

Add Compute Engine - Service Account User

[optional]Add Compute Engine -Compute View

**although the Compute View is optional to just ssh, but it does help the developer/programmer/intern to know what they are running and recommend configuration changes when program is ready for golive.

And finally we need to give permission at the instance level. So go to Compute Engine -> VM Instances -> Permissions -> Add Principal -> "Compute OS Admin Login" if you want them to use sudo or if just a regular user "Compute OS Login"

Open the instance, click edit and enable OS-Login under Metadata. Add the following Key: enable-oslogin Value: TRUE

Stop and start the instance. You need it for permission to take effect. During troubleshooting none of this worked until we restarted the instance, and magically fixed.

[Cross referencing the document I wrote for next time, I hire intern.](http://write.w5hnews.com/u/cwSNkeLNXf#How%20to%20give%20access%20to%20%22VM%20Instances%22%20to%20the%20intern%3F%20with%20%40gmail.com%20email%20address%20(GCP)) — Lucas S., Jan 09 '23 at 20:06

Ismael Clemente Aguirre · Answer 2 · 2022-04-06T15:07:47.697

If you need to manage user access to your Linux VM instances, you can use one of the following methods:

To give a user the ability to connect to a VM instance using SSH without granting them the ability to manage Compute Engine resources, add the user's public key to the project, or add a user's public key to a specific instance. Using this method, you can avoid adding a user as a project member, while still granting them access to specific instances.

More information about granting users SSH to VM instances can be found here.

Regarding your question about the roles required and why, here is more information about granting access to an organization using Cloud IAM roles.

More information about Access control for users in Cloud compute Engine here.

About roles and permissions

If you need your employee to be able to see the project you need to grant the access to the project according to your needs.

The basic roles are owner, editor and viewer. Here you will find a more detailed explanation about roles and permissions using Cloud IAM to control the access for your project.

And in this page you will find a complete list of the roles and permissions included in Cloud compute engine.

On the other hand in this guide about setup OS login, the roles and permission required to complete the process are included. OS login is an option suitable to resolve your issue.

I've read them all, but still its unclear what permission he needs to see the project, wm instance and its spacs, and being able to click ssh on web interface to get inside and start installing required software. Search continues. — Lucas S., Apr 05 '22 at 20:19
I updated my answer to specifically answer your original question about the access to instances and the permissions required. — Ismael Clemente Aguirre, Apr 06 '22 at 15:09
Still nogo. Day 3 Steps so far: os login enabled in IAM Granted permission for "Service Account User" + "View Service Accounts" + Project Viewer. and at the instance he has: Compute OS Admin Login + Compute OS Login When he clicks ssh , get gets: You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs. but how does one add these roles in a UI? Add role -> by product -> compute engine -> lists some kind of templates, and not individual roles. — Lucas S., Apr 06 '22 at 16:02
It also appears we need: compute.osLoginExternalUser but where do you exactly add that..? since the Add another roles only has templates and I can't name exact role? — Lucas S., Apr 06 '22 at 16:09

How to give access to "VM Instances" to the intern? with @gmail.com email address (GCP)

2 Answers2