-1

I have a project with three VMs. I'm trying to create a condition at the project level that should limit instanceAdmin role to a single instance only, based on its name.

  1. I previously tried to to grant the policy at the instance level, but nothing happened; the granted user can see neither the instance, nor the project.
  2. Therefore I tried to grant the policy at the project level, with the condition that limits the role to only the required instance (based on its name) As far as I can read on the docs, resource name has to be declared following the name attribute format (projects/project-id/zones/zone-id/instances/instance-id): if I choose start with, and I stop at the project id (eg. projects/project-id/), then the user will see all instances from the console, which is fine. If I write the full resource name (I tried using both ID or instance name), user does not see anything.

I can't figure out how to make it happen: I'm following this guide , but it does not work on my side. Am I missing something? Moreover, why can't I simply apply the instanceAdmin role directly to the instance? Do I need some other privileges in order to list the instance on the console?

outmoo
  • 1
  • 2

1 Answers1

1

Your first try is the right one. Grant the user to be InstanceAdmin on the instance. Your problem is that the user doesn't see the compute in the project. Why? Because, he hasn't role on the compute at the project level.

For this, grant the user with the role Compute Viewer and now he will be able to see all the compute, but not to perform action, except on the instance where he is InstanceAdmin.

guillaume blaquiere
  • 33,758
  • 2
  • 11
  • 37
  • Thanks a lot! That was my third try and it does work indeed...But how can I then limit visibility to all the other resources? User can still see the three VMs: I guess IAM conditions should do the trick, but I really can't understand what I'm missing... Is the resource name supported at the project level? If it's not, where else should I use the resource name? – outmoo Jul 01 '20 at 14:02
  • Let me summarize: You have 3 VM, and the user must be admin and see only 1 on the console, this one where they are instanceAdmin, right? – guillaume blaquiere Jul 01 '20 at 14:23
  • Exactly! I was trying to avoid to create a different project, but it seems the only way... – outmoo Jul 01 '20 at 14:27
  • I think that you can't. For listing the VM on a project you need to have the computeViewer role and you can't exclude resources of this list. But, What is the problem to have several projects? What is the problem if the user see the others VM without having the capability to see the detail and to log in? – guillaume blaquiere Jul 01 '20 at 14:53
  • Thanks, guillaume! I got to the same conclusion: at the end of the day, I can leave those two machines visibile, no problem with that... To be honest, I was trying to figure out what I can do with IAM conditions and I'm still quite confused: I would expect to be able to grant ComputeAdmin/Viewer role and being able to limit what a user can see based on a resource.name condition, but apparently it does not work that way... What does IAM condition do exactly, then? – outmoo Jul 01 '20 at 15:06
  • IAM condition is binary: either the condition is fully compliant and the role is granted on the account (user or service), or not. In the current case, the instanceAdmin role is granted only is the current ressource is the Compute Instance. However, when you are listing the instances in the project, the current resource is the project, not the instance. Thus the condition don't match, and you don't have it, for nothing, neither your instance nor the projet. – guillaume blaquiere Jul 02 '20 at 10:05