Setup Google Compute Engine VM to ssh using OS Login.

4 minute read

A quick setup for when you’re firing up GCE VM’s and dont have to worry about managing and organizing ssh keys to jump into any of them. Setup OS Login for the project and any instance launched automatically allows access with the configure keys (obviously check your security needs).

Objective

To have a simple GCE VM instance you can ssh to easily with the same SSH key to any instance stood up in the project (can disble project-wide enable and do it per-instance using gcloud)

We will be using terraform to do the following:

  • Setup a simple GCE VM
  • Configure IAM for users to use OS Login method for managing ssh keys

Manually upload ssh keys to GCP using gcloud

Google API permissions

You will need the following google api’s enabled if you haven’t already:

  • cloudapis.googleapis.com Google Cloud APIs
  • cloudresourcemanager.googleapis.com Cloud Resource Manager API
  • compute.googleapis.com Compute Engine API
  • oslogin.googleapis.com Cloud OS Login API

e.g.

find service gcloud services list --available, enable with: gcloud services enable cloudresourcemanager.googleapis.com

GCP Service Account

For terraform, I created a service account to run commands as terrform user.

Use this bash script to create a service account and a account.json file for that user:

#!/usr/bin/env bash

project="<your_project_name>"

gcloud iam service-accounts create terraform \
    --display-name "Terraform Service Account" \
    --description "Service account to use with Terraform"

echo "Create IAM policy binding for the Terraform service account"
gcloud projects add-iam-policy-binding "${project}" \
  --member serviceAccount:"[email protected]${project}.iam.gserviceaccount.com" \
  --role roles/editor

echo "Create IAM service policy key 'account.json'"
gcloud iam service-accounts keys create account.json \
    --iam-account "[email protected]${project}.iam.gserviceaccount.com"

Terraform

Now that we have our account.json key file for our terraform service account we can look at the following main.tf file

main.tf

provider "google" {
  credentials = "${file("account.json")}"
  project = "<your_project_name>"
  region  = "us-east1"
}

resource "google_compute_instance" "demo" {
  name         = "oslogin-demo"
  machine_type = "n1-standard-1"
  zone         = "us-east1-c"

  tags = ["vm", "login"]

  scheduling{
    on_host_maintenance = "TERMINATE"
  }

  boot_disk {
    initialize_params {
      image = "ubuntu-os-cloud/ubuntu-1604-lts"
      size = 50
    }
  }

  network_interface {
    network = "default"
    access_config {
    }
  }

  metadata = {
    foo = "bar"
  }
}

Super simple VM, based on ubuntu-16 LTS, all defaults.

Next let’s look at the OS Login setup

oslogin.tf

The two OS Login roles available are:

  • roles/compute.osLogin (non-root)
  • roles/compute.osAdminLogin (root available)

Note: your terraform user needs the Project IAM Admin role enabled to be able to admin IAM Policy.

gcloud projects add-iam-policy-binding <your_project_name> \
  --member serviceAccount:[email protected]<your_project_name>.iam.gserviceaccount.com \
  --role roles/resourcemanager.projectIamAdmin

Terraform for setting up OS Login

resource "google_compute_project_metadata_item" "oslogin" {
  project = "<your_project_name>"
  key     = "enable-oslogin"
  value   = "TRUE"
}

resource "google_project_iam_member" "owner_binding" {
  project = "<your_project_name>"
  role    = "roles/compute.osAdminLogin"
  member  = "user:[email protected]"
}

Another Note: I’m using my GCP account owner account as the one that’s going to login to any GCE instances created in this project, so the syntax is user:... whereas if I were using a service account it would be e.g. serviceAccount:[email protected]${project}.iam.gserviceaccount.com.

Upload your SSH keys

This is the important step, upload the PUBLIC KEY of the pair you want to use to ssh into the instances

e.g.

gcloud compute os-login ssh-keys add --key-file ~/.ssh/ida_rsa.pub

this key will be associated with the GCLOUD USER you are logged in as i.e. not terraform

For me, that was my GCP owner account on this project.

You can check your OS Login keys with this command: gcloud compute os-login ssh-keys list or checkout your profile with gcloud compute os-login describe-profile

Build & SSH

Easy build, no remote statefile needed:

  • terraform init
  • terraform apply

build takes about 18s, output looks like this:

google_compute_project_metadata_item.oslogin: Creating...
google_project_iam_member.owner_binding: Creating...
google_compute_instance.demo: Creating...
google_compute_project_metadata_item.oslogin: Still creating... [10s elapsed]
google_project_iam_member.owner_binding: Still creating... [10s elapsed]
google_compute_instance.demo: Still creating... [10s elapsed]
google_project_iam_member.owner_binding: Creation complete after 13s [id=<your_project_name>/roles/compute.osAdminLogin/user:[email protected]]
google_compute_project_metadata_item.oslogin: Creation complete after 14s [id=enable-oslogin]
google_compute_instance.demo: Creation complete after 18s [id=projects/<your_project_name>/zones/us-east1-c/instances/oslogin-demo]

Now, if all’s gone right you will be able to ssh to your new vm.

get ip address & ssh

gcloud compute instances list
NAME          ZONE        MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
oslogin-demo  us-east1-c  n1-standard-1               10.142.0.6   34.74.255.103  RUNNING

if you uploaded your default ~/.ssh/id_rsa keys, you can ssh directly like this:

ssh [email protected]

if you created a new key e.g. ~/.ssh/newkey, you will ssh like this (-i /private/key):

ssh -i ~/.ssh/newkey [email protected]

And voila:

Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-1071-gcp x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Creating directory '/home/me_mydomain_com'.
groups: cannot find name for group ID 1512007361
[email protected]:~$

References