Google Cloud Compute Engine操作系统登录权限被拒绝的问题 [英] Google Cloud Compute Engine OS Login permission denied issue
问题描述
在一个GCE实例上设置OS Login时,我收到该项目的新用户的Permission denied消息.
根据关于操作系统登录的Google Cloud文档,我已将元数据设置为enable-oslogin TRUE,并将实例中用户的权限设置为roles/compute.osLogin,因为在此测试用例中不需要其他组织或服务帐户.防火墙规则也可以.
我已经启用了角色Project Editor并且可以使用,但是我不希望用户成为Editor或Viewer,只是通过SSH进入实例并使用Cloud IAM对其进行管理./p>
这是我看到的错误:
DEBUG: Executing command: [u'/usr/bin/ssh', u'-t', u'-i', u'/home/test/.ssh/google_compute_engine', u'-o', u'CheckHostIP=no', u'-o', u'HostKeyAlias=compute.xxxxx', u'-o', u'IdentitiesOnly=yes', u'-o', u'StrictHostKeyChecking=no', u'-o', u'UserKnownHostsFile=/home/test/.ssh/google_compute_known_hosts', u'test_com@xx.xx.xx.xx']
Permission denied (publickey).
DEBUG: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
Traceback (most recent call last):
File "/google/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 981, in Execute
resources = calliope_command.Run(cli=self, args=args)
File "/google/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py", line 807, in Run
resources = command_instance.Run(args)
File "/google/google-cloud-sdk/lib/surface/compute/ssh.py", line 262, in Run
return_code = cmd.Run(ssh_helper.env, force_connect=True)
File "/google/google-cloud-sdk/lib/googlecloudsdk/command_lib/util/ssh/ssh.py", line 1258, in Run
raise CommandError(args[0], return_code=status)
CommandError: [/usr/bin/ssh] exited with return code [255].
ERROR: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
在IAM角色下面添加即可解决此问题,因此它也需要SA角色,这在Google Cloud文档中并不十分清楚.
Compute OS Login
Role
Access to log in to a Compute Engine instance as a standard (non-administrator) user.
Service Account User
Role
Run operations as the service account.
When setting up the OS Login on one GCE instance I get a Permission denied message for a new user of the project.
As per the Google Cloud documentation on OS Login, I've set metadata to enable-oslogin TRUE, and the permission for the user in the instance to roles/compute.osLogin, as there's no further Organization or service account required in this test case. Firewall rules are OK too.
I've enabled the role Project Editor and it works, but I don't want the user to be an Editor nor a Viewer, just to SSH into the instance and manage it with Cloud IAM.
This is the error I'm seeing:
DEBUG: Executing command: [u'/usr/bin/ssh', u'-t', u'-i', u'/home/test/.ssh/google_compute_engine', u'-o', u'CheckHostIP=no', u'-o', u'HostKeyAlias=compute.xxxxx', u'-o', u'IdentitiesOnly=yes', u'-o', u'StrictHostKeyChecking=no', u'-o', u'UserKnownHostsFile=/home/test/.ssh/google_compute_known_hosts', u'test_com@xx.xx.xx.xx']
Permission denied (publickey).
DEBUG: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
Traceback (most recent call last):
File "/google/google-cloud-sdk/lib/googlecloudsdk/calliope/cli.py", line 981, in Execute
resources = calliope_command.Run(cli=self, args=args)
File "/google/google-cloud-sdk/lib/googlecloudsdk/calliope/backend.py", line 807, in Run
resources = command_instance.Run(args)
File "/google/google-cloud-sdk/lib/surface/compute/ssh.py", line 262, in Run
return_code = cmd.Run(ssh_helper.env, force_connect=True)
File "/google/google-cloud-sdk/lib/googlecloudsdk/command_lib/util/ssh/ssh.py", line 1258, in Run
raise CommandError(args[0], return_code=status)
CommandError: [/usr/bin/ssh] exited with return code [255].
ERROR: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].
Adding below IAM roles solves it, so it requires the SA role as well, something not very clear from the Google Cloud documentation.
Compute OS Login
Role
Access to log in to a Compute Engine instance as a standard (non-administrator) user.
Service Account User
Role
Run operations as the service account.
这篇关于Google Cloud Compute Engine操作系统登录权限被拒绝的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
