I have a (non-admin) account on one GCP project.
When I start the Dataproc cluster, GCP spins up 3 VMs. When I try to access one of the VM via SSH (in browser) I get the following error:
I tried to add recommended permissions, but I cannot add the iam.serviceAccounts.actAs permission.
Any idea how to solve this? I read through the GCP documentation, but I just cannot find the solution for this. I have the following roles associated with my account:
In the end, we managed to solve it by granting users the Editor permission on Compute Engine default service account. Not sure it is the right way but it seems to work.
I believe the latest documentation on Compute Engine SSH access is here: https://cloud.google.com/compute/docs/instances/managing-instance-access
It seems that you have to enable OS Login on the specific instance(s) you want to SSH into.
If from console you want to click the "SSH" button next to an instance but face this issue, you can grant the Service Account User role instead of Editor, and it should resolve this.
If you're using OS Login, you may need the Compute OS Login role as well, but SA user should work.
If you're using IAP, you may need the IAP-secured Tunnel User role (or roles/iap.tunnelResourceAccessor in CLI)
Before:
After adding Service Account User role:
If you want to access remotely, use a bastion and Cloud IAP tunnel. Here is an example setup/teardown (NAT and router optional if you want to configure your bastion or install packages)
