Adding a Compute Engine Instance

Overview

Opal lets your developers find and request access to SSH into GCP Compute instances. In this article we'll walk you through how to add Compute instances to your Opal dashboard.

Step 1: Set up OS Login on the VM Instance

Follow Steps 1 and 3 in the following guide. By the end of it, you should have added the enable-oslogin key with value TRUE in the VM instance metadata.

Step 2: If needed, configure osLoginExternalUser for the user

This step is optional and only applies to Opal users who you want to grant GCP Compute instance access who are outside of your Google Cloud organization. Read this guide to enable osLoginExternalUser for a user (the user email must correspond to the Opal user's email).

Step 3: Grant the compute.Viewer permission for the user

The Opal user who you want to grant access to needs the compute.Viewer permission on the Project to be able to find and SSH into the instance. This can be done via the following:

First, import the GCP Project corresponding to the Compute instance in Opal. This can be done by navigating to the Catalog > your Google Cloud App, then clicking on the ... on the top right, and selecting Import items, where you will be able to import your GCP Project as a Resource.

2312

Navigate to the Project resource you just added and select the User Access tab. You can click +Add Users on the right to browse and select a user to add to the project with the compute.Viewer role.

463

Step 4: Grant the compute.OsLogin permission for the user on the Compute Instance

First, import the Compute instance into Opal. This can be done by navigating to the Catalog > your Google Cloud App, then clicking on the ... on the top right, and selecting Import items, where you will be able to filter by type GCP Compute and import your Compute instance as a Resource.

463

Secondly, navigate to Resources on the left sidebar, navigate to the Compute resource you just added, and select the User Access tab of the resource. Add the user to the Compute instance with the compute.OsLogin access level (if no choice to set the access level is presented, simply add the user without specifying the access level).

Step 5: If needed, install gcloud

Install the gcloud binary, as described in this guide. This command will be used to SSH into the instance.

Step 6: Perform gcloud auth login with the user

The user who was granted permission must perform gcloud auth login in the shell, logging in with an email matching the Opal user.

Step 7: SSH into the VM instance

Approximately a couple minutes or so after the user was granted the compute.OsLogin permission, the user should be able to SSH into the instance with a command of the form: gcloud compute ssh --project=PROJECT_ID --zone=ZONE_ID COMPUTE_INSTANCE_NAME. An example command is gcloud compute ssh --project=my-project --zone=us-central1-a my-compute-instance.