Google Cloud OS Login - For User account and Service Account | GCP OS Login
HTML-код
- Опубликовано: 7 авг 2024
- Important commands:
gcloud compute os-login ssh-keys add --key-file .ssh/id_rsa.pub
roles/compute.osLogin for non-root access
roles/compute.osAdminLogin for users who get sudo
gcloud auth activate-service-account --key-file= [YOUR JSON FILE]
roles/iam.serviceAccountUser
Important Links:
github.com/GoogleCloudPlatfor...
cloud.google.com/compute/docs...
----------
- Questions? Thoughts? Disagreements? Tell us here in the comments.
----------
- PLEASE SUBSCRIBE! / @cloudadvocate
Oh and follow me!
Facebook: / multicloudguy
Twitter: / multicloudguy 
Наука
Had to create this video twice, thanks to mic issue. I am going to get OS Login in my dreams now :)
😄
cool google cloud vm instance tuts bro keep rocking. the gccloud best intro.
Wow! I'm definitely going to try this out.
great video, very clear! Thanks
thanks for the great content GK.
so OS Login can only be leveraged via cloud shell and not via PuTTY, is that correct?
Thank you so much!
Many Thanks
Thanks for the video it’s good..I have a query wher to single service account can access with multiple vms in the multiple project to execute commands
Thanks for wonderful video, not able to get this concept clearly in GCP document. Question: I think you should have minimum EDITOR primitive role for this thing to work (VIEWER primitive role doesn't work when I checked), otherwise it is not going to work. Please correct me if my understanding is not right.
Hi thank you so much for this informative video,
I’m trying to login to a vm using putty and the oslogin is enabled, can you please provide me with the extra steps,
the document mentioned that we must use the “public-openssh” format can you advice what is this format and how the file will look like? also what is the username that I must login with ? Thanks in advance
Hello GK, how are you doing ?
I would like to have a suggestion from you. I am experienced in IT field and currently would like to switch to Cloud domain... mainly in Infra Automation part ( Terraform,Anisble etc.).
I am confused which cloud to pick for that.. between AWS and GCP.. If you can suggest me which one will be easy to start and pick up in few months may be..
Thanks and have a great day !!
Please make more such videos! wonderful content!! Particularly, I like the service-account concept... had very challenging time understanding this concept. One suggestion is that you should have tried this with "non-owner" brand new account so that we know exactly what it takes to configure from ground zero. Question: Granted "Editor Primitive Role" +" Compute OS Login" role to new gmail account. But I am able to sudo into root account (sudo su -) . What is missing here? Thanks in advance
You don't need primitive role. All you need is oslogin user if you don't want user to have root access.
Hey friend
Can you please share the steps for installing the Ubuntu and how connect to VM instance there after using it.
And how to install the gloud sdk should i use the gcloud init that would be enough
Please suggest
wondering why the official documentation is so confusing. Thanks this helps a lot!
Thank you for the great video.
I have downloaded the service account's tfsvc.json key file to my local windows downloads folder. when I give --key-file=tfsvc.json on ubuntu 18.04 terminal, it is giving me tfsvc.json file not found error. How did you copy -tfsvc.json file to ubuntu terminal? Could you please share the steps?
i'm trying to connect to a googlesheet service account using a JWT but keep receiving a 401. is that possible at all or do i have to create a google cloud account ?
(I can already connect and create SS etc using Oauth2)
Need Help!! Any idea how to fix the below error message.
You do not have sufficient permissions to SSH into this instance. You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.
CloseRetry
Does this work when u want to ssh into a host without external IP using IAP?
adding a user and assigning os logging permission, while connecting im getting "no supported authentication method available (server sand public key)"
will this process work for windows machines as well.
Hi Host, thanks for your great demo! One thing that confused me a lot is why we need "Service Account User" role for a service account. As I know this role is usually assigned to user account, could you please provide the related doc link about this?
cloud.google.com/compute/docs/instances/managing-instance-access#grant-iam-roles
"If your VM uses a service account, then each user that connects to the VM using SSH has the ability to impersonate the service account. To ensure that the impersonation follows best practices, configure each user to have the roles/iam.serviceAccountUser role on the service account. "
Thanks for the video, this is handy. Will this work on a windows environment using putty or replacing putty for windows users, Asking for a friend 😊
It will work
Sir can you plz make a video on creating un EC2 virtual machine which can me operated by multiple users simultaneously basically I want to create single machine and install a software on it and that software can be used by multiple users through that single virtual machine through multiple logins
Is it possible 🙏🙏🙏
I have started learning about GCP so I enroll in GCP for trial account but its not give me trial account after filling all the details and debited 2 rs also its through an error and when i m making my first VM its showing me billing things add billing manage billing
does any one know about this??
Hello someone has the information that need to be added to the Json File to provide access to non root access? please!
hey mate!.. thanks a lot for this video, was super useful. I have a question for you.
My idea is to create 2 different service account (one with the root access and the other one without), then associate a group of users with a service account and another group of users to the other service account.
At this point, I would love that the users just authenticate using their user account and authenticate through the VM with the right permissions.
Do you think is possible to have this kind of configuration? And if yes how can I associate the users to the service accounts then?
Happy to have a chat with you mate if this is not clear enough =)
thanks again for your effort in making these videos and for your time.
All the best
Fabio
Hi Fabio,
You can add a group or users who are non-admins and give them os.login and another group of users osAdminlogin. Why do you want to user service account? Trying to understand.
Thanks :)
@@CloudAdvocate Hey mate thanks for your reply. From my understanding, we have associate only one service account to a single VM, right? But how can I configure the two different permissions in a single SA? I am not sure I am understanding correctly how it works, I mean, why the user has to switch to a SA if he has already his user account?
Hi Fabio,
Let me explain the scenario and may be you can let me know if I misunderstood it.
1. Let's say you have a group1 of users lets call it group1@gmail.com in that there is a user user1@gmail.com
2. You have another group2 of users lets call them as group2@gmail.com and there is a user2@gmail.com
group1 is added to IAM with permissions of oslogin
group2 is added to IAM with permission of osadminlogin
Now when user1@gmail.com is trying to do gcloud ssh to the any compute instance in that project. User will login as normal user without sudo permissions. Its thats the account type configured from him VM which is trying to connect to GCE instance.
Likewise when usre2 connects from his/her vm with gcloud, that user2 connects as admin.
Am I thinking it right? Please let me know if not we can chat in any other forum or in FB chat
Hey mate, thanks for your reply... yes, the scenario you described is the right one. My question was if the user1@gmail.com wants to log in with his user account, where the service account is used for? I mean, the different privileges are defined in the two groups settings group1 oslogin and group2 osadminlogin. So what's the pro to use the service account now? And how can I manage the service account associated with the VM with two different groups?
How to create the JSON file for the user i saw your video for service account,but could not find you talked about JSON and it was the JSON of compute engine not the service account .Can you please share
When you create the service account at the same screen you will see an option to generate key and download the JSON.
@Cloud_Advocate thanks for the video, I have few queries regards the os login and managing instance access. In the video you have uploaded the public key for the project wide, so any person who has associated private key will have access to all the instances in the compute engine console.
what if we need to control the vm's access to specified persons lets say- we have 10 people and 10 instances in the cloud and we need to assign one instance to one single person so that other person shouldn't have access to others vm. Could you please let me know, how we can resolve this scenario.
Also if i'm the administrator and have rights to add users. how can I add public key to the user created through console, so that the user can access the vm.
If possible, could you please do a video for the same.
Hi Dinesh, I have never copied public key at a project level. Not sure which section of the video you found that. You can give oslogin permissions to your users and they can copy their keys using the command that I have shown for my user. Also you can remove oslogin if you don't want and add each users keys to individual instances. I hope I have clarified :)
Hi Dinesh, One person to one instance you can add a firewall rule (Target : which Instance and Source : User IP). and tag it to the instance.
Not sure how we can implement this for window vm
Also what's the purpose of compute os login external user Role.
For external users...not part of the organization. It's well documented on the website :)
It a nice video bro. I m having few doubts.. what if my service account json file is mistakenly shared to a person or he steals it. Then he can access the instance right? If I manually add users ssh, this type of prblm won't occur. How GCP is stating this is more secured?
Good question Hari. Let me explain it for you how it generally works in bigger organizations. When you more 100's or 1000's or 100k developers its impossible to copy the keys and maintain them for each user and its risky too. So companies sync oslogin with active directory and they create a specific role with minimum permissions. So lets say something is compromised all they have to do is remove the permissions or role from IAM. Thats why its more secure than maintaining each user keys and also users keys are not easy to maintain and is not a scalable solution. If we are talking about service account keys getting compromised, there is always that risk associated with anything...even in aws what if your access keys and secret keys are compromised....so they have to be secured, rotated and given permissions that are required. Hope it helps :)
@@CloudAdvocate That's an awesome answer bro. I too thought of rotating the service account on a daily basis will make it to lesser leverage of any attacks. Since this video is abt login, I m placing one more doubt, you could have come across the term RDP - Remote desktop protocol - Where by entering an instance IP and password - One can connect to it. can we restrict it by saying, only if the user has access to the project or resource level permission can log in, else he can't, even he enters the right password
@@maamukutty I am very poor in windows, but I am sure there must be os login for windows too. I am sorry I can't answer this coz I haven't tried it :).
@@CloudAdvocate cloud.google.com/solutions/chrome-desktop-remote-on-compute-engine
Please see through this, it would be better if u make a video out of it. Business people can't do ssh since they are out of technical. This would create a GUI, for the VM instance.
@@maamukutty Thank you.
Thank you for the video. So, when we enable oslogin in project wise it says it will inherit the feature in all instance but I don't find the oslogin feature in existing instances aswell as new instance which we create. It's like we have to enable OSLogin manually.
What do you mean by you don't find?. Are you not able to login?
@@CloudAdvocate inherit in terms it will present there by default rite. Once we set set for project.
@@kirupa0512 Yes, you don't have to set manually for each project.
@@CloudAdvocate But Its like we have to assign for each VM instance even after enabling for whole project
@Kirupa Cse what do you mean by enable? As long as your user has permission to login. You can login to all instances. If you are talking about service account yes, it should be there on existing instances too. Hope it helps. Please read this cloud.google.com/compute/docs/instances/managing-instance-access
How to get the password for the newly created VM ? I want to use username /password method to connect vm.
console is at the very bottom, youtube playbar disturbs here in desktop
Aws