Allow service account ssh access (compute instance admin) to specific instances.

[Matthew Lenz]

All my instances are using custom service accounts based on server type (static-sa, application-sa, db-sa).

I have a remote system so I created a service account (lets call the service account remote-sa) with keys and activated the service account on a specific user.

How do I give remote-sa the ability to ssh into instances using static-sa and application-sa but not db-sa?

[Carlos (Cloud Platform Support)]

Hi Matthew,

I believe you should actually specify the keys for the db-sa servers at the instance level. In that way only specific keys for those type of VMs will have access to them.

[Matthew Lenz]

What about making the remote-sa a service account actor on the instance service accounts that I want it to be able to interact with?

It seems to have the desired effect. But I'm concerned about other security issues that might occur because of it. One thing I noticed is when I remove the remote-sa has a service account actor on those instance sa's that it doesn't also remove the SSH key that gets added directly to any instances that use those designated instance-sa's.

I can't decide if that's a feature or a bug.

[Matthew Lenz]

Actually it doesn't work that way upon further review.  I think it let me in because I had given the SA editor permissions under IAM.

It still seems there must be some way to do what I'm attempting without having to specify the keys and ssh directly into the instance.

[Carlos (Cloud Platform Support)]

Hi Matthew, 

I have been reviewing the documentation but I do not think there is another way beside setting the SSH keys in the instances.  To ease the setup, you could use a management system like chef, puppet, salt, ansible to manually configure the SSH accounts on certain machines and set ssh authorized_keys for those accounts.

If you instances have not been deployed you can use an instance template that has the required authorized_keys.