Adding new "team members" with minimal privileges, but access to "ssh over https" terminal sessions
46 views
Skip to first unread message
James Lampert
Aug 16, 2017, 7:51:31 PM8/16/17
to gce-discussion
I'm looking over the docs for IAM, and the more I look at them, the more confused I get.
Here is the situation:
We have a GCE instance, launched from the Bitnami Trac image, that's running our Trac and SVN servers, along with experimental MySQL and Tomcat servers. And we have developers who are going to need to open terminal sessions on it.
Now, I was given several kinds of Admin access myself (albeit not anything that allows me to even see the IAM console screens). Among other things, I can access the "ssh over https" terminal portal (and "sudo" in it), change firewall rules, and manually add ssh keys.
But aside from what I've given the other developers in Trac, SVN, and MySQL, and what I'll be giving them in Tomcat, all they need is the ability to open terminal sessions.
I could of course just manually generate user profiles for the developers, have them generate keypairs for whatever ssh clients they have, and send me the public keys to be added under those user profiles, but minimal console access with the "ssh over https" portal is so much more convenient to use.
So what is the minimum that will give these developers so they can sign on to the console, and open a terminal session from their browsers, and how do we grant it?
--
JHHL
Kamran (Google Cloud Support)
Aug 17, 2017, 12:00:15 AM8/17/17
to gce-discussion
Hello James,
To grant your developers (users) only login access to a Compute Engine instance as standard (non-administrator) users, "Compute OS Login" IAM role can be assigned to the users. However, this IAM role is currently Alpha release and your project has to be whitelisted to be able to use it. I'll reach out to our backline team to find out the process for whitelisting this feature for your project and will contact you by email as soon as I get information.
Message has been deleted
James Lampert
Aug 18, 2017, 5:22:33 PM8/18/17
to gce-discussion
Thanks
I've forwarded the email version of your reply to "the powers that be" on my end, along with a link to the thread, and they may be joining in.
--
JHHL
I've forwarded the email version of your reply to "the powers that be" on my end, along with a link to the thread, and they may be joining in.
--
JHHL
Reply all
Reply to author
Forward
0 new messages