I am trying to setup permissions on a per-instance level on our GCP infrastructure (for example, can SSH on machine A but not on machine B) using GCloud IAM permissions.
However, I came across a weird behavior.
If I add a user to the GCloud project with only the Compute Viewer permission, that user would be able to SSH on all the VM setup in the Compute Engine section.
This makes no sense as the documentation itself states that you can't SSH with the Compute Viewer: https://cloud.google.com/compute/docs/access/
Additionally, when I try to set permissions for each specific instance (by going in Compute Engine > VM Instances, selecting a specific instance and adding permissions from the permissions tab), those seem to have literally no effect.
Not sure if I missed something:
Compute Viewer allow for SSH?You can manage SSH access at the instance level using OS login.
Compute Viewer access is not sufficient enough a privilege to SSH into a VM instance.
You need one of compute.instances.setMetadata, compute.projects.setCommonInstanceMetadata or compute.instances.osLogin (with OsLogin enabled) and iam.serviceAccounts.actAs.
I just tested it as well to confirm and received the above error.
You might have assigned some other roles/permissions to your users that need to be reviewed in your project as the IAM role Compute Viewer is not enough.