gce/Ssh
Product: Compute Engine Kind: Debugging Tree
Description
This runbook focuses on investigating components required for ssh on either Windows and Linux VMs hosted on Google Cloud Platform and pinpoint misconfigurations.
Areas Examined:
-
VM Instance Status: Evaluates the VM’s current state, performance - ensuring that it is running and not impaired by high CPU usage, insufficient memory, or disk space issues that might disrupt normal SSH operations.
-
User Permissions: Checks for the necessary Google Cloud IAM permissions that are required to leverage OS Login features and to use metadata-based SSH keys for authentication.
-
VM Configuration: Analyzes the VM’s metadata settings to confirm the inclusion of SSH keys, flags and other essential configuration details that facilitate SSH access.
-
GCE Network Connectivity Tests: Reviews applicable firewall rules to verify that there are no network barriers preventing SSH access to the VM.
-
Internal Guest OS Checks: Analysis available Guest OS metrics or logs to detect any misconfigurations or service disruptions that could be obstructing SSH functionality.
-
SSH in Browser Checks: Checks if the authenticated user has relevant permissions and the organization policies permits SSH in Browser.
Executing this runbook
gcpdiag runbook gce/ssh \
-p project_id=value \
-p name=value \
-p id=value \
-p zone=value \
-p principal=value \
-p local_user=value \
-p tunnel_through_iap=value \
-p check_os_login=value \
-p src_ip=value \
-p protocol_type=value \
-p port=value \
-p check_ssh_in_browser=value
Parameters
| Name | Required | Default | Type | Help |
|---|---|---|---|---|
project_id |
True | None | str | The ID of the project hosting the GCE VM |
name |
False | None | str | The name of the target GCE VM |
id |
False | None | int | The instance ID of the target GCE VM |
zone |
True | None | str | The zone of the target GCE VM |
principal |
True | None | str | The user or service account principal initiating the SSH connection this user should be authenticated in gcloud/cloud console when sshing into to the GCE. For service account impersonation, it should be the service account’s email |
local_user |
False | None | str | Poxis User on the VM |
tunnel_through_iap |
False | True | bool | (‘A boolean parameter (true or false) indicating whether ‘, ‘Identity-Aware Proxy should be used for establishing the SSH connection.') |
check_os_login |
False | True | bool | A boolean value (true or false) indicating whether OS Login should be used for SSH authentication |
src_ip |
False | None | IPv4Address | Source IP address. Workstation connecting from workstation,Ip of the bastion/jumphost if currently on logged on a basition/jumphost |
protocol_type |
False | tcp | str | Protocol used to connect to SSH |
port |
False | 22 | int | Port used to connect to SSH |
check_ssh_in_browser |
False | False | bool | Check that SSH in Browser is feasible |
Get help on available commands
gcpdiag runbook --help