We have a number of linux VMs (google compute engines) in our projects on google cloud. I want to allow the users (developers) access to the google compute engines using SSH only. No ability to change the VM details; just ssh access. I want to use IAM to control how these users access the instance. I do not want to use keys.
this approach (i feel) makes it easier for me to manage access to the VMs especially for departing users.
Is this feasible? Make sense?
G
Here's what I found on the topic from Google
https://cloud.google.com/compute/docs/access/#granting_users_ssh_access_to_vm_instances
*Granting users SSH access to VM instances
If you just want to give a user the ability to connect to a virtual machine instance using SSH, but don't want to grant them the ability to manage Compute Engine resources, add the user's public key to the project, or add a user's public key to a specific instance. Using this method, you can avoid adding a user as a project member, while still granting them access to specific instances. To learn more about SSH and managing SSH keys, read the SSH keys Overview.
Note that if you grant the roles/compute.instanceAdmin.v1 role to a project member, they can automatically connect to instances using SSH, as long as the instance is not set up to run as a service account. If the instance is set up to run as a service account, you must also grant the roles/iam.serviceAccountActor role in order for the member to connect to the instance.*
This does not work. I followed what is here but what happens is that while the user can ssh they can also edit or clone the instance which I do not want.
Will keep searching ....