Search code examples
google-cloud-platformsshgoogle-compute-enginegoogle-cloud-iam

What IAM role allows a GCP user to open a Compute Engine SSH connection via the "SSH" button in the browser?

There's an "SSH" button that appears next to each VM that opens a terminal session in a new browser window if it's clicked. It works for me if I have the project owner role, but anything less causes the button to be disabled.

Works:

  • Owner

Doesn't Work (All Combined):

  • App Engine Admin
  • BigQuery Admin
  • BigQuery Resource Admin
  • Cloud Functions Admin
  • Cloud SQL Admin
  • Compute Admin
  • Compute Instance Admin (v1)
  • Compute Network Admin
  • Compute OS Admin Login
  • Compute OS Login
  • Deployment Manager Editor
  • Logs Viewer
  • Project IAM Admin
  • Secret Manager Admin
  • Service Account Admin
  • Service Account Key Admin
  • Service Account User
  • Storage Admin
  • Viewer

Is there a role that's less than Owner that I can apply to myself and still get the "SSH" button to be enabled?

The documentation suggests these should be enough but they aren't resolving this issue:

  • Compute OS * Login
  • Service Account User

Thanks.

Solution

  • Access for project-level and above is managed in the IAM admin page, but will be displayed in the IAP admin page.

    If you want to use an account without "Owner" as permission, you will need to add an "IAP-secured Tunnel User" role . Members who do not have this role "IAP-secured Tunnel User" won’t be able to see the SSH Button enabled. If you're using IAP to control access to administrative services like SSH and RDP, users will need the iap.tunnelInstances.accessViaIAP permission.

    In order to solve this issue you will need to add the role "IAP-secured Tunnel User" to the user which has "Editor" as permissions. After 3-5 minutes, you will be able to see the SSH Button enabled. Once the permission is applied, the button will get active.

    I believe that the eng team could have changed something in the SSH connection button, which now makes further permissions (contained in that role) mandatory.

    Also check if the OS login is enabled. Because after you enable OS Login on one or more instances in your project, those VMs accept connections only from user accounts that have the necessary IAM roles in your project or organization.

    To allow OS Login access to these VMs, you need to grant the necessary roles to the user. You can grant the instance access role at the project level or at the instance level. If a user requires SSH access from Google Cloud console or gcloud CLI, you must grant the instance access role at the project level, or additionally grant a role at the project level that contains the compute.projects.get permission.

    Refer Resources and Permissions and Granting OS login IAM roles for more information.