😄

You don't need primitive role. All you need is oslogin user if you don't want user to have root access.

cloud.google.com/compute/docs/instances/managing-instance-access#grant-iam-roles "If your VM uses a service account, then each user that connects to the VM using SSH has the ability to impersonate the service account. To ensure that the impersonation follows best practices, configure each user to have the roles/iam.serviceAccountUser role on the service account. "

It will work

When you create the service account at the same screen you will see an option to generate key and download the JSON.

Hi Fabio, You can add a group or users who are non-admins and give them os.login and another group of users osAdminlogin. Why do you want to user service account? Trying to understand. Thanks :)

​@@CloudAdvocate Hey mate thanks for your reply. From my understanding, we have associate only one service account to a single VM, right? But how can I configure the two different permissions in a single SA? I am not sure I am understanding correctly how it works, I mean, why the user has to switch to a SA if he has already his user account?

Hi Fabio, Let me explain the scenario and may be you can let me know if I misunderstood it. 1. Let's say you have a group1 of users lets call it group1@gmail.com in that there is a user user1@gmail.com 2. You have another group2 of users lets call them as group2@gmail.com and there is a user2@gmail.com group1 is added to IAM with permissions of oslogin group2 is added to IAM with permission of osadminlogin Now when user1@gmail.com is trying to do gcloud ssh to the any compute instance in that project. User will login as normal user without sudo permissions. Its thats the account type configured from him VM which is trying to connect to GCE instance. Likewise when usre2 connects from his/her vm with gcloud, that user2 connects as admin. Am I thinking it right? Please let me know if not we can chat in any other forum or in FB chat

Hey mate, thanks for your reply... yes, the scenario you described is the right one. My question was if the user1@gmail.com wants to log in with his user account, where the service account is used for? I mean, the different privileges are defined in the two groups settings group1 oslogin and group2 osadminlogin. So what's the pro to use the service account now? And how can I manage the service account associated with the VM with two different groups?

For external users...not part of the organization. It's well documented on the website :)

Hi Dinesh, I have never copied public key at a project level. Not sure which section of the video you found that. You can give oslogin permissions to your users and they can copy their keys using the command that I have shown for my user. Also you can remove oslogin if you don't want and add each users keys to individual instances. I hope I have clarified :)

Hi Dinesh, One person to one instance you can add a firewall rule (Target : which Instance and Source : User IP). and tag it to the instance.

What do you mean by you don't find?. Are you not able to login?

@@CloudAdvocate inherit in terms it will present there by default rite. Once we set set for project.

@@kirupa0512 Yes, you don't have to set manually for each project.

@@CloudAdvocate But Its like we have to assign for each VM instance even after enabling for whole project

@Kirupa Cse what do you mean by enable? As long as your user has permission to login. You can login to all instances. If you are talking about service account yes, it should be there on existing instances too. Hope it helps. Please read this cloud.google.com/compute/docs/instances/managing-instance-access

Good question Hari. Let me explain it for you how it generally works in bigger organizations. When you more 100's or 1000's or 100k developers its impossible to copy the keys and maintain them for each user and its risky too. So companies sync oslogin with active directory and they create a specific role with minimum permissions. So lets say something is compromised all they have to do is remove the permissions or role from IAM. Thats why its more secure than maintaining each user keys and also users keys are not easy to maintain and is not a scalable solution. If we are talking about service account keys getting compromised, there is always that risk associated with anything...even in aws what if your access keys and secret keys are compromised....so they have to be secured, rotated and given permissions that are required. Hope it helps :)

@@CloudAdvocate That's an awesome answer bro. I too thought of rotating the service account on a daily basis will make it to lesser leverage of any attacks. Since this video is abt login, I m placing one more doubt, you could have come across the term RDP - Remote desktop protocol - Where by entering an instance IP and password - One can connect to it. can we restrict it by saying, only if the user has access to the project or resource level permission can log in, else he can't, even he enters the right password

@@maamukutty I am very poor in windows, but I am sure there must be os login for windows too. I am sorry I can't answer this coz I haven't tried it :).

@@CloudAdvocate cloud.google.com/solutions/chrome-desktop-remote-on-compute-engine Please see through this, it would be better if u make a video out of it. Business people can't do ssh since they are out of technical. This would create a GUI, for the VM instance.

@@maamukutty Thank you.