[英]With OS login, how to gcloud ssh from one GCE into another GCE?
I have two GCEs, both has OS login enabled:我有两个 GCE,都启用了操作系统登录:
1) a_vm provisioned with service account a_svc 1) a_vm 提供了服务帐户 a_svc
2) b_vm provisioned with service account b_svc 2) b_vm 提供了服务帐户 b_svc
a_svc has OS login access to b_vm. a_svc 具有对 b_vm 的操作系统登录访问权限。 a_svc has roles/compute.osAdminLogin at project level and roles/iam.serviceAccountUser at b_svc level.
a_svc 具有项目级别的角色/compute.osAdminLogin 和 b_svc 级别的角色/iam.serviceAccountUser。
What I tried:我试过的:
gcloud compute ssh a_vm
, then gcloud compute ssh b_vm
gcloud compute ssh a_vm
,然后gcloud compute ssh b_vm
What happened:发生了什么:
It times out consistently.它一直超时。 Requests gcloud made before it hangs based on
--log-http
:基于
--log-http
在 gcloud 挂起之前发出的请求:
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/a_svc@fredzqm-terraform-5.iam.gserviceaccount.com/?recursive=True
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/ca_svc@my_project.iam.gserviceaccount.com/token
uri: https://compute.googleapis.com/batch/compute/v1
uri: https://compute.googleapis.com/batch/compute/v1
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/a_svc@my_project.iam.gserviceaccount.com/?recursive=True
uri: https://oslogin.googleapis.com/v1/users/a_svc@my_project.gserviceaccount.com/loginProfile?projectId=fredzqm-terraform-5&alt=json
What I expects:我的期望:
Based on https://cloud.google.com/compute/docs/instances/connecting-advanced#sa_ssh_manual , gcloud should pick up the default application credential (a_svc) and use it to get access to b_vm through OS login.基于https://cloud.google.com/compute/docs/instances/connecting-advanced#sa_ssh_manual ,gcloud 应该选择默认的应用程序凭据 (a_svc) 并使用它通过操作系统登录访问 b_vm。
What works:什么工作:
I have verified that a_svc does have ssh access to b_vm.我已经验证 a_svc 确实可以通过 ssh 访问 b_vm。 This works from my workstation using personal creds:
这在我的工作站上使用个人凭据工作:
gcloud compute ssh b_vm --impersonate-service-account a_svc
If I add a ssh public key to a_svc, and then use the public key to ssh into b_vm
.如果我将 ssh 公钥添加到 a_svc,然后使用公钥 ssh 进入
b_vm
。
gcloud compute os-login ssh-keys add --key-file
ssh sa_<id_of_a_svc>@b_vm -i private_key_path
I've tried to reproduce your issue and failed.我试图重现您的问题,但失败了。 I was able to connect to
service-account-b-instance
from service_account_a_instance
as the service account and execute commands as that service account.我能够从
service_account_a_instance
作为服务帐户连接到service-account-b-instance
并作为该服务帐户执行命令。
Have a look at my steps below:看看我下面的步骤:
service_account_a
service_account_a
create VM instance associated with service_account_a_instance
:创建与
service_account_a_instance
关联的 VM 实例:
$ gcloud compute instances create service-account-a-instance --zone=europe-west3-a --machine-type=n1-standard-1 --service-account=service-account-a@test-prj.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --metadata enable-oslogin=TRUE Created [https://www.googleapis.com/compute/v1/projects/test-prj/zones/europe-west3-a/instances/service-account-a-instance]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS service-account-a-instance europe-west3-a n1-standard-1 10.156.0.14 35.XXX.75.XXX RUNNING
create service account service_account_b
创建服务帐户
service_account_b
create VM instance service_account_b_instance
associated with service_account_b
:创建虚拟机实例
service_account_b_instance
关联service_account_b
:
$ gcloud compute instances create service-account-b-instance --zone=europe-west3-a --machine-type=n1-standard-1 --service-account=service-account-b@test-prj.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --metadata enable-oslogin=TRUE Created [https://www.googleapis.com/compute/v1/projects/test-prj/zones/europe-west3-a/instances/service-account-b-instance]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS service-account-b-instance europe-west3-a n1-standard-1 10.156.0.16 35.XXX.255.XXX RUNNING
generate ssh keys:生成 ssh 密钥:
$ ssh-keygen Generating public/private rsa key pair.
import ssh key:导入 ssh 密钥:
$ gcloud compute os-login ssh-keys add --key-file id_rsa.pub
connect to instance service-account-a-instance
:连接到实例
service-account-a-instance
:
$ gcloud compute ssh service-account-a-instance Linux service-account-a-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Mar 2 14:34:51 2020 from 104.132.189.65 user_domain_com@service-account-a-instance:~$
connect to instance service-account-b-instance
from service-account-a-instance
:从
service-account-a-instance
连接到实例service-account-b-instance
service-account-a-instance
:
user_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a ... ssh: connect to host 35.242.255.44 port 22: Connection timed out ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
enable ssh connectivity at VPC network
-> Firewall
and try again:在
VPC network
启用 ssh 连接 -> Firewall
VPC network
试:
user_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a Permission denied (publickey). ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
add role roles/iam.serviceAccountUser
to service-account-a
and try again:将角色
roles/iam.serviceAccountUser
添加到service-account-a
roles/iam.serviceAccountUser
试:
user_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a Linux service-account-b-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Mar 2 16:52:28 2020 from 35.198.75.226 sa_116762935227008431464@service-account-b-instance:~$ sa_116762935227008431464@service-account-b-instance:~$ uname -a Linux service-account-b-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux
and finally it works.最后它起作用了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.