使用 OS 登录,如何将 gcloud ssh 从一个 GCE 连接到另一个 GCE?
With OS login, how to gcloud ssh from one GCE into another GCE?
我有两个 GCE,都启用了 OS 登录:
1) a_vm 已配置服务帐户 a_svc
2) b_vm 已配置服务帐户 b_svc
a_svc 具有 OS 对 b_vm 的登录权限。
a_svc 在项目级别有 roles/compute.osAdminLogin,在 b_svc 级别有 roles/iam.serviceAccountUser。
我尝试了什么:
- Ssh 进入 a_vm 和
gcloud compute ssh a_vm,然后 gcloud compute ssh b_vm
发生了什么:
它一直超时。
根据 --log-http:
挂起之前发出的 gcloud 请求
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/a_svc@fredzqm-terraform-5.iam.gserviceaccount.com/?recursive=True
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/ca_svc@my_project.iam.gserviceaccount.com/token
uri: https://compute.googleapis.com/batch/compute/v1
uri: https://compute.googleapis.com/batch/compute/v1
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/a_svc@my_project.iam.gserviceaccount.com/?recursive=True
uri: https://oslogin.googleapis.com/v1/users/a_svc@my_project.gserviceaccount.com/loginProfile?projectId=fredzqm-terraform-5&alt=json
我的期望:
基于 https://cloud.google.com/compute/docs/instances/connecting-advanced#sa_ssh_manual,gcloud 应获取默认应用程序凭据 (a_svc) 并使用它通过 OS 登录访问 b_vm。
什么有效:
我已经验证 a_svc 确实可以通过 ssh 访问 b_vm。这在我的工作站上使用个人信用进行:
gcloud compute ssh b_vm --impersonate-service-account a_svc
如果我将 ssh public 密钥添加到 a_svc,然后使用 public 密钥通过 ssh 进入 b_vm。
gcloud compute os-login ssh-keys add --key-file
ssh sa_<id_of_a_svc>@b_vm -i private_key_path
我已尝试重现您的问题但失败了。我能够作为服务帐户从 service_account_a_instance 连接到 service-account-b-instance 并作为该服务帐户执行命令。
看看我下面的步骤:
- 创建服务帐户
service_account_a
创建与 service_account_a_instance:
关联的 VM 实例
$ gcloud compute instances create service-account-a-instance --zone=europe-west3-a --machine-type=n1-standard-1 --service-account=service-account-a@test-prj.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --metadata enable-oslogin=TRUE
Created [https://www.googleapis.com/compute/v1/projects/test-prj/zones/europe-west3-a/instances/service-account-a-instance].
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
service-account-a-instance europe-west3-a n1-standard-1 10.156.0.14 35.XXX.75.XXX RUNNING
创建服务帐户service_account_b
创建 VM 实例 service_account_b_instance 关联 service_account_b:
$ gcloud compute instances create service-account-b-instance --zone=europe-west3-a --machine-type=n1-standard-1 --service-account=service-account-b@test-prj.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --metadata enable-oslogin=TRUE
Created [https://www.googleapis.com/compute/v1/projects/test-prj/zones/europe-west3-a/instances/service-account-b-instance].
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
service-account-b-instance europe-west3-a n1-standard-1 10.156.0.16 35.XXX.255.XXX RUNNING
生成 ssh 密钥:
$ ssh-keygen
Generating public/private rsa key pair.
导入 ssh 密钥:
$ gcloud compute os-login ssh-keys add --key-file id_rsa.pub
连接到实例 service-account-a-instance:
$ gcloud compute ssh service-account-a-instance
Linux service-account-a-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Mar 2 14:34:51 2020 from 104.132.189.65
user_domain_com@service-account-a-instance:~$
从 service-account-a-instance:
连接到实例 service-account-b-instance
user_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a
...
ssh: connect to host 35.242.255.44 port 22: Connection timed out
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
在 VPC network -> Firewall 启用 ssh 连接并重试:
user_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a
Permission denied (publickey).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
将角色 roles/iam.serviceAccountUser 添加到 service-account-a 并重试:
user_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a
Linux service-account-b-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Mar 2 16:52:28 2020 from 35.198.75.226
sa_116762935227008431464@service-account-b-instance:~$
sa_116762935227008431464@service-account-b-instance:~$ uname -a
Linux service-account-b-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux
终于成功了。
我有两个 GCE,都启用了 OS 登录:
1) a_vm 已配置服务帐户 a_svc
2) b_vm 已配置服务帐户 b_svc
a_svc 具有 OS 对 b_vm 的登录权限。 a_svc 在项目级别有 roles/compute.osAdminLogin,在 b_svc 级别有 roles/iam.serviceAccountUser。
我尝试了什么:
- Ssh 进入 a_vm 和
gcloud compute ssh a_vm,然后gcloud compute ssh b_vm
发生了什么:
它一直超时。
根据 --log-http:
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/a_svc@fredzqm-terraform-5.iam.gserviceaccount.com/?recursive=True
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/ca_svc@my_project.iam.gserviceaccount.com/token
uri: https://compute.googleapis.com/batch/compute/v1
uri: https://compute.googleapis.com/batch/compute/v1
uri: http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/a_svc@my_project.iam.gserviceaccount.com/?recursive=True
uri: https://oslogin.googleapis.com/v1/users/a_svc@my_project.gserviceaccount.com/loginProfile?projectId=fredzqm-terraform-5&alt=json
我的期望:
基于 https://cloud.google.com/compute/docs/instances/connecting-advanced#sa_ssh_manual,gcloud 应获取默认应用程序凭据 (a_svc) 并使用它通过 OS 登录访问 b_vm。
什么有效:
我已经验证 a_svc 确实可以通过 ssh 访问 b_vm。这在我的工作站上使用个人信用进行:
gcloud compute ssh b_vm --impersonate-service-account a_svc如果我将 ssh public 密钥添加到 a_svc,然后使用 public 密钥通过 ssh 进入
b_vm。gcloud compute os-login ssh-keys add --key-filessh sa_<id_of_a_svc>@b_vm -i private_key_path
我已尝试重现您的问题但失败了。我能够作为服务帐户从 service_account_a_instance 连接到 service-account-b-instance 并作为该服务帐户执行命令。
看看我下面的步骤:
- 创建服务帐户
service_account_a 创建与
关联的 VM 实例service_account_a_instance:$ gcloud compute instances create service-account-a-instance --zone=europe-west3-a --machine-type=n1-standard-1 --service-account=service-account-a@test-prj.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --metadata enable-oslogin=TRUE Created [https://www.googleapis.com/compute/v1/projects/test-prj/zones/europe-west3-a/instances/service-account-a-instance]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS service-account-a-instance europe-west3-a n1-standard-1 10.156.0.14 35.XXX.75.XXX RUNNING创建服务帐户
service_account_b创建 VM 实例
service_account_b_instance关联service_account_b:$ gcloud compute instances create service-account-b-instance --zone=europe-west3-a --machine-type=n1-standard-1 --service-account=service-account-b@test-prj.iam.gserviceaccount.com --scopes=https://www.googleapis.com/auth/cloud-platform --metadata enable-oslogin=TRUE Created [https://www.googleapis.com/compute/v1/projects/test-prj/zones/europe-west3-a/instances/service-account-b-instance]. NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS service-account-b-instance europe-west3-a n1-standard-1 10.156.0.16 35.XXX.255.XXX RUNNING生成 ssh 密钥:
$ ssh-keygen Generating public/private rsa key pair.导入 ssh 密钥:
$ gcloud compute os-login ssh-keys add --key-file id_rsa.pub连接到实例
service-account-a-instance:$ gcloud compute ssh service-account-a-instance Linux service-account-a-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Mar 2 14:34:51 2020 from 104.132.189.65 user_domain_com@service-account-a-instance:~$从
连接到实例service-account-a-instance:service-account-b-instanceuser_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a ... ssh: connect to host 35.242.255.44 port 22: Connection timed out ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].在
VPC network->Firewall启用 ssh 连接并重试:user_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a Permission denied (publickey). ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].将角色
roles/iam.serviceAccountUser添加到service-account-a并重试:user_domain_com@service-account-a-instance:~$ gcloud compute ssh service-account-b-instance --project test-prj --zone europe-west3-a Linux service-account-b-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Mar 2 16:52:28 2020 from 35.198.75.226 sa_116762935227008431464@service-account-b-instance:~$ sa_116762935227008431464@service-account-b-instance:~$ uname -a Linux service-account-b-instance 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux终于成功了。