Managing administrators’ SSH access to VMs is a complex identity task that could be hard to make secure. Traditionally, customers were required to hard code their keys and identity during account setup, and then create individual accounts for each user on individual VMs. It was important for administrators to remember to remove keys of employees who no longer worked with the company.
Today, we’re making this process a lot simpler and more secure on Google Cloud Platform with the launch of Compute User Accounts. You can use the setup steps to enable the Cloud User Accounts API and create VMs to take advantage of this capability.
Compute User Accounts are in Beta and with it you can:
- Create VM accounts and groups just once to be used on all the VMs
- Grant users SSH access and the ability to rotate keys without providing full project editor/owner rights
- View at a glance the VM accounts and keys in your project
- Be sure that all accounts on VMs will be disabled when the Google ID owning them is deleted or disabled. This means when an employee leaves the company, they’ll no longer be able to SSH into your VMs.
The new VM accounts tab under the Permissions page in the Developer Console shows you all the accounts provisioned for your VMs. To add an Account, you can click the “Create VM Account” button.
Once an account has been created, the owner of the account will be able to view the details of their account and rotate their keys. They can also set a description and expiration for each key.
View and manage user groups under the “User groups” tab
SSH with VM accounts using the gcloud command below
$ gcloud beta compute ssh [USERNAME@]INSTANCE
When a user is removed from the Project permissions or when their Google ID is deleted, the VM accounts owned by the user will automatically be disabled.
- Posted by Rae Wang, Product Manager, Google Cloud Platform