os login doesn't work

629 views
Skip to first unread message

moneshwari D

unread,
Dec 24, 2019, 10:47:29 AM12/24/19
to gce-discussion
Hello Everyone , 

 I have given added compute os login IAM role to a user and added enable-oslogin parameter under custom metadata of an instance . But still that user couldn't able to SSH into an instance .

As checked logs got an error message :

Dec 24 08:43:02 instance-1 sshd[10015]: error: AuthorizedKeysCommand /usr/bin/google_authorized_keys ************_gmail_com failed, status 1
Dec 24 08:43:03 instance-1 sshd[10015]: Connection closed by 74.125.41.32 port 46374 [preauth]

As a owner of the project i'm able to ssh into an instance without project / instance wide SSH keys by using only IAM role . 

Any help would be appreciated . 

Thanks,
Deena 

Digil (Google Cloud Platform Support)

unread,
Dec 24, 2019, 2:35:11 PM12/24/19
to gce-discussion
Hello Deena,

It doesn't seems like a defect within the platform because you as an 'Owner' were able to access the instance without any issue. I strongly suspects this as an issue connected with granting OS Login IAM roles for the user accounts. Therefore, I would recommend you to refer the help center article on 'Setting up OS Login'. 

As explained in the section about configuring OS Login roles on user account, apart from one of the login roles (roles/compute.osLogin & roles/compute.osAdminLogin) your user must also need to have 'roles/iam.serviceAccountUser' role. 


moneshwari D

unread,
Dec 26, 2019, 4:16:25 AM12/26/19
to gce-discussion
Hello Digil , 

Thanks for the reply . 

As you said after adding a role 'roles/iam.serviceAccountUser' , user were able to access the instance  . But as per an article  'Setting up OS Loginwe should add this role 'roles/iam.serviceAccountUser' to user only if VM instance uses a service account that also on the service account that is associated with the VM instance.

Please clarify . 

Thanks,
Deena

Alexandre Duval-Cid

unread,
Dec 26, 2019, 10:38:38 AM12/26/19
to gce-discussion
Hey,

When enabling OS login the credentials are no longer managed by the projects metadata, it's managed though service accounts credential management, you can give the role of "roles/iam.serviceAccountUser" to the user or the service account associated with the instance. The credentials will then be managed by one of the service accounts.

thanks,
Alex

Kirill Katsnelson

unread,
Dec 26, 2019, 12:06:52 PM12/26/19
to gce-discussion
Deena,

 
As you said after adding a role 'roles/iam.serviceAccountUser' , user were able to access the instance  . But as per an article  'Setting up OS Loginwe should add this role 'roles/iam.serviceAccountUser' to user

The reason for this is than whoever is logged on to the instance can act with the privileges of the service account of that VM. Anyone logged on can use curl to get the token of the VM's account, or just use gcloud (without going trough authentication flow, like gcloud init) to do anything the service accounts is permitted to do.
 
only if VM instance uses a service account that also on the service account that is associated with the VM instance.

This sounds circular to me, but if I understand the concern, the role may be granted on the service account itself (in this case, you allow the user having the grant to use only that specific service account), or the compute project level (which allows the grantee to use just any service account within the project). Depending on the security architecture of your project, you may want one or the other. Granting the role on individual service accounts is, obviously, giving you more discretionary control, but increases administrative burden.

 -kkm

Reply all
Reply to author
Forward
0 new messages