How can prevent users in my GCP VM Instance to become root?

Question

I created an Ubuntu VM on GCP Compute Engine.

Some details:

-> (ubuntu-minimal-2204-jammy-v20220810)

 Machine type
    e2-micro
CPU platform
    Intel Broadwell
Architecture
    x86/64

I added one user using SSH keys. This user can properly access to the VM, no problem here. But he can also become root like this:

# he resets the root password
sudo passwd

# the he can become root using the freshly created password
su 

How can I prevent this?

I tried to remove this user from the sudoers but without success:

root@vm_test:/home/user# sudo deluser user_test sudo
/usr/sbin/deluser: The user `user_test' is not a member of group `sudo'.

EDIT: My sudoers config file looks like this. I might modify it to restrict access. But I don't understand how.

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

Answer 1

In IAM, give them roles/compute.osLogin , not roles/compute.osAdminLogin or roles/compute.instanceAdmin .

Answer 2

The SSH Access method that you are using ( Manage SSH keys in metadata ) leverages the access management to a directory service; if you want to control the access level to your instance(s) using Google's Identity Service, you need to use the OS Login method instead.

Here is an example granting normal user access to an instance named 'ubuntu-test' to the user 'test-user@gmail.com':

gcloud compute instances add-iam-policy-binding ubuntu-test \
    --member='user:test-user@gmail.com' \
    --role='roles/compute.osLogin' \
    --zone=<instance_zone>

Note: Unlike the Manage SSH key method, in the OS Login method the user must exist in the GCP database in order to properly assign the permissions.