How to give access to "VM Instances" to the intern? with @gmail.com email address (GCP)

Question

I got an developer intern. I need him to access GCP paid VM Instance I created so he can start developing. He should have root access through sudo, and preferably his own username linux account so we can see his files when he clones repo's,installs services,etc.

He should not: have access to modify instance, no access to change discs or instance size, no access to any other resource. Just ssh and root inside a vm. His account is under his personal email abc..@gmail.com

What exact permissions do I need to give him?

a) I used the default service account, but I could switch it to project specific service account that will soon also run cloud functions.

b) For google employees, there should really be a guide/tour for "grant access" that allows people who have less then 10 vm instances follow it to grant access properly without delay or compromising security. He is unable to do paid work:(.

Related:

• 52756755 (why does he need compute admin role for a developer, I need him only to develop and not maintain the instance)
• 62925708 (why does the user need service account role? He does not need to be creating paid instances)
• 49384500 (You do not have sufficient permissions to ssh into this instance)
• do not have permission to ssh into this instance ( You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.

Answer 1

1. If the person has @gmail.com domain then he is an external user and needs to be given external user permission. Go to IAM & Admin -> From the Project menu select All and click the top organization:

Add the Compute OS Login External User

2. Now under the project Add the following:

Add Project - Viewer

Add Compute Engine - Service Account User

[optional]Add Compute Engine -Compute View

**although the Compute View is optional to just ssh, but it does help the developer/programmer/intern to know what they are running and recommend configuration changes when program is ready for golive.

3. And finally we need to give permission at the instance level. So go to Compute Engine -> VM Instances -> Permissions -> Add Principal -> " Compute OS Admin Login " if you want them to use sudo or if just a regular user "Compute OS Login"

4. Open the instance, click edit and enable OS-Login under Metadata. Add the following Key: enable-oslogin Value: TRUE

5. Stop and start the instance. You need it for permission to take effect. During troubleshooting none of this worked until we restarted the instance, and magically fixed.

Answer 2

If you need to manage user access to your Linux VM instances, you can use one of the following methods:

• OS Login
• Managing SSH keys in metadata
• Temporarily grant a user access to an instance

To give a user the ability to connect to a VM instance using SSH without granting them the ability to manage Compute Engine resources, add the user's public key to the project, or add a user's public key to a specific instance. Using this method, you can avoid adding a user as a project member, while still granting them access to specific instances.

More information about granting users SSH to VM instances can be found here .

Regarding your question about the roles required and why, here is more information about granting access to an organization using Cloud IAM roles.

More information about Access control for users in Cloud compute Enginehere .

About roles and permissions

If you need your employee to be able to see the project you need to grant the access to the project according to your needs.

The basic roles are owner, editor and viewer. Here you will find a more detailed explanation about roles and permissions using Cloud IAM to control the access for your project.

And in this page you will find a complete list of the roles and permissions included in Cloud compute engine.

On the other hand in this guide about setup OS login , the roles and permission required to complete the process are included. OS login is an option suitable to resolve your issue.