> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Add a Compute Engine Instance

Opal lets your developers find and request access to SSH into GCP Compute instances. Use the following steps to add Compute instances to your Opal dashboard.

## 1. Set up OS Login on the VM Instance

Follow Steps 1 and 3 in the [following guide](https://cloud.google.com/compute/docs/instances/managing-instance-access#console). By the end of it, you should have added the `enable-oslogin` key with value `TRUE` in the VM instance metadata.

## 2. Configure osLoginExternalUser for users

This step is optional and only applies to Opal users who you want to grant GCP Compute instance access and who are outside of your Google Cloud organization. Read this [guide](https://cloud.google.com/compute/docs/oslogin/manage-oslogin-in-an-org#external-user) to enable `osLoginExternalUser` for a user. The user email must correspond to the Opal user's email.

## 3. Grant the compute.Viewer permission for users

The Opal user who you want to grant access to needs the `compute.Viewer` permission on the Project to be able to find and SSH into the instance. This can be done via the following:

First, import the GCP Project corresponding to the Compute instance in Opal. Go to the **Inventory**, then your Google Cloud App, then select on the **...** on the top right, then **Import items**. There you can import your GCP Project as a Resource.

<img src="https://mintcdn.com/opalsecurity/fu-nWazMe1LxLhxi/images/docs/2f69737fb99495f1e97755fed5e651ce8fb1055e9fdddb486c0af1b2253a90a9-import-gcp.png?fit=max&auto=format&n=fu-nWazMe1LxLhxi&q=85&s=9fbac5438128b12a12c005e955f49f06" alt="2312" width="2728" height="1219" data-path="images/docs/2f69737fb99495f1e97755fed5e651ce8fb1055e9fdddb486c0af1b2253a90a9-import-gcp.png" />

Go to the Project resource you just added and select the **User Access** tab. You can click **+Add Users** on the right to browse and select a user to add to the project with the `compute.Viewer` role.

<img src="https://mintcdn.com/opalsecurity/4Xj9diJ3E3kX-9Xd/images/docs/e6dd68f-Screenshot_2024-03-15_at_12.09.54_PM.png?fit=max&auto=format&n=4Xj9diJ3E3kX-9Xd&q=85&s=edb116808774512e4a85a9f1924213e5" alt="463" width="2272" height="1227" data-path="images/docs/e6dd68f-Screenshot_2024-03-15_at_12.09.54_PM.png" />

## 4. Grant the compute.OsLogin permission

First, import the Compute instance into Opal. Go to the **Inventory**, then your Google Cloud App, then select on the **...** on the top right, then **Import items**. There you can filter by type **GCP Compute** and import your Compute instance as a Resource.

<img src="https://mintcdn.com/opalsecurity/lwwIeFbsleftxaXx/images/docs/c2e5302-Screenshot_2024-03-15_at_12.36.28_PM.png?fit=max&auto=format&n=lwwIeFbsleftxaXx&q=85&s=560423da82f3000c8fe0676b2c5407fa" alt="463" width="2233" height="1217" data-path="images/docs/c2e5302-Screenshot_2024-03-15_at_12.36.28_PM.png" />

Next, go to **Resources** on the left sidebar, then to the Compute resource you just added, and select the **User Access** tab of the resource. Add the user to the Compute instance with the `compute.OsLogin` access level. If no choice to set the access level is presented, add the user without specifying the access level.

## 5. If needed, install gcloud

Install the `gcloud` binary, as described in this [guide](https://cloud.google.com/sdk/docs/install). This command will be used to SSH into the instance.

## 6. Log in to gcloud

The user who was granted permission must perform `gcloud auth login` in the shell, logging in with an email matching the Opal user.

## 7. SSH into the VM instance

A couple minutes or so after the user was granted the `compute.OsLogin` permission, the user should be able to SSH into the instance with a command of the form:

`gcloud compute ssh --project=PROJECT_ID --zone=ZONE_ID COMPUTE_INSTANCE_NAME`.

For example, `gcloud compute ssh --project=my-project --zone=us-central1-a my-compute-instance`.