Adding a Compute Engine Instance
Overview
Opal lets your developers find and request access to SSH into GCP Compute instances. In this article we'll walk you through how to add Compute instances to your Opal dashboard.
Step 1: Set up OS Login on the VM Instance
Follow Steps 1 and 3 in the following guide. By the end of it, you should have added the enable-oslogin
key with value TRUE
in the VM instance metadata.
Step 2: If needed, configure osLoginExternalUser for the user
This step is optional and only applies to Opal users who you want to grant GCP Compute instance access who are outside of your Google Cloud organization. Read this guide to enable osLoginExternalUser
for a user (the user email must correspond to the Opal user's email).
Step 3: Grant the compute.Viewer permission for the user
The Opal user who you want to grant access to needs the compute.Viewer
permission on the Project to be able to find and SSH into the instance. This can be done via the following:
First, import the GCP Project corresponding to the Compute instance in Opal. This can be done by navigating to the Catalog > your Google Cloud App, then clicking on the ... on the top right, and selecting Import items, where you will be able to import your GCP Project as a Resource.
Navigate to the Project resource you just added and select the User Access tab. You can click +Add Users on the right to browse and select a user to add to the project with the compute.Viewer
role.
Step 4: Grant the compute.OsLogin permission for the user on the Compute Instance
First, import the Compute instance into Opal. This can be done by navigating to the Catalog > your Google Cloud App, then clicking on the ... on the top right, and selecting Import items, where you will be able to filter by type GCP Compute and import your Compute instance as a Resource.
Secondly, navigate to Resources on the left sidebar, navigate to the Compute resource you just added, and select the User Access tab of the resource. Add the user to the Compute instance with the compute.OsLogin
access level (if no choice to set the access level is presented, simply add the user without specifying the access level).
Step 5: If needed, install gcloud
Install the gcloud
binary, as described in this guide. This command will be used to SSH into the instance.
Step 6: Perform gcloud auth login with the user
The user who was granted permission must perform gcloud auth login
in the shell, logging in with an email matching the Opal user.
Step 7: SSH into the VM instance
Approximately a couple minutes or so after the user was granted the compute.OsLogin
permission, the user should be able to SSH into the instance with a command of the form: gcloud compute ssh --project=PROJECT_ID --zone=ZONE_ID COMPUTE_INSTANCE_NAME
. An example command is gcloud compute ssh --project=my-project --zone=us-central1-a my-compute-instance
.
Updated 4 months ago