In my RHEL7 instance on GCE I use a software package I installed from the commandline using its bash scripted installer. The installer creates a user xyz the software runs under, and a group xyzgroup, and adds both user xyz and the user who ran the installer (eg. gce_user) to the xyzgroup group. But the GCE google-accounts-daemon.service (GAD) periodically removes user gce_user from the group xyzgroup :
sudo systemctl -l status google-accounts-daemon.service
[...]
Aug 03 23:36:18 rhel7-n4 usermod[7702]: delete 'gce_user' from group 'xyzgroup'
Aug 03 23:36:18 rhel7-n4 usermod[7702]: delete 'gce_user' from shadow group 'xyzgroup'
Aug 23 05:12:36 rhel7-n4 usermod[26008]: delete 'gce_user' from group 'xyzgroup'
Aug 23 05:12:36 rhel7-n4 usermod[26008]: delete 'gce_user' from shadow group 'xyzgroup'
Sep 05 20:59:26 rhel7-n4 usermod[21884]: delete 'gce_user' from group 'xyzgroup'
Sep 05 20:59:26 rhel7-n4 usermod[21884]: delete 'gce_user' from shadow group 'xyzgroup'
However the GAD does not remove the user xyz from the group xyzgroup . I created the user gce_user using the GCE cloud console when creating the instance and added the ssh keys to that user; the installer added user gce_user to group xyzgroup but it didn't persist. I used sudo gpasswd -a gce_user xyzgroup to restore the user to the group but that didn't persist. I also used sudo usermod -a -G xyzgroup gce_user to restore user gce_user to group xyzgroup but that didn't persist either. GAD deleted the user from the group sometimes several days after the user was added to the group.
I note that the GCE Accounts daemon account_utils.py calls usermod to add a user to groups:
command = ['usermod', '-G', groups, user]
The GCE docs say that the cloud console can be used to manage (Linux OS) user accounts, including (Linux OS) group membership: https://cloud.google.com/compute/docs/access/user-accounts/#create_a_new_user_account
However, the instructions start with: 1. Go to the User Accounts page.
That link to the User Accounts page will require you to select a project. Once selected, the resulting page is not the User Accounts page - it's the project's overall Dashboard page. If you enter into the search bar at the top of the Dashboard page [user accounts] and click the item User accounts (subtitled IAM & Admin), the resulting page just says "(!) Failed to load".
How do I add user gce_user to group xyzusers so that group membership persists, and isn't deleted by GAD? Preferably a commandline so I can fix the xyz software package's installer bash script.
The Cloud User Accounts feature is in beta which requires whitelisting.
This is a Beta release of User Accounts. This feature might be changed in backward-incompatible ways and is not recommended for production use. It is not subject to any SLA or deprecation policy. Request to be whitelisted to use this feature.
https://cloud.google.com/compute/docs/access/user-accounts/#useraccountsgroups