On Compute Engine, you can use OS Login to grant users access to VMs and to
restrict the users with
sudo access. If you want to control which users can
view or run specific files and executables in VMs, you can use
OS policies to roll out policies
that automate and centralize the management of files within your VM fleet.
This tutorial shows you how to grant view access to the
/var/log/auth.log) on multiple VMs to a group of users who don't have
access, using OS Login groups and OS policies.
In most default configurations, the
auth.log file permissions are set to
and the file is owned by the group
adm. A user who isn't granted the
roles/compute.osAdminLogin IAM role isn't in the
adm group, doesn't have
sudo access, and therefore doesn't have read access to the file.
While this tutorial focuses on managing user permissions to a specific file, the workflow can be modified and used for setting permissions on other files or executables on a VM.
In this tutorial you'll learn the following:
- How to create an OS Login Linux group
- How to use an OS policy assignment to change the group permissions of a file in multiple VMs at once
In this document, you use the following billable components of Google Cloud:
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.New Google Cloud users might be eligible for a free trial.
Before you begin
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
- Install or update to the latest version of the Google Cloud CLI.
- Ensure that you're a Cloud Identity Groups administrator for your organization. If you aren't a Groups administrator, have your organization's Groups administrator create an OS Login Linux group for you.
- Enable VM Manager.
Prepare the environment
Before you can grant access to the
auth.log file, you need to create some VMs.
Create three VMs using the
gcloud compute instances bulk create command:
gcloud compute instances bulk create \ --name-pattern=tutorial-# \ --zone=us-west1-a \ --count=3 \ --labels=vm=tutorial \ --metadata=enable-oslogin=TRUE
You see a message similar to the following:
`Bulk create request finished with status message: [VM instances created: 3, failed: 0.]`
Set group permissions for the
To grant a user read access to the
auth.log file without granting them the
roles/compute.osAdminLogin IAM role, change the group which owns the file to
a Linux group that the user is a member of.
Create an OS Login Linux group
You can create an OS Login Linux group to add a supplementary Linux group that appears on each VM that has OS Login enabled. By creating an OS Login Linux group instead of a local supplementary Linux group, you can control the Linux group on all VMs in a unified way.
To create an OS Login Linux group use the
gcloud beta identity groups create command:
gcloud beta identity groups create logaccess@ORGANIZATION_DOMAIN \ --organization=ORGANIZATION_DOMAIN \ --posix-group=gid=12345,name=logaccess
ORGANIZATION_DOMAIN with the domain
example.com) associated with your organization.
Create an OS policy assignment
You can use
to automate and centralize the configuration of your VMs. You
apply OS policies to VMs using OS policy assignments. By creating an OS policy
assignment with an OS policy that changes the default group of the
file, you can change the default group of the
auth.log file in multiple VMs at
once, instead of applying the change to one VM at a time.
To create an OS policy assignment, do the following:
Open a terminal on your workstation.
Create an OS policy assignment
.yamlfile by running the following command:
tutorial-os-policy-assignment.yamlfile in a text editor and add the following specifications:
# OS policy assignment that sets the /var/log/auth.log group to logaccess. osPolicies: - id: log-access-policy mode: ENFORCEMENT resourceGroups: resources: - id: grant-log-access exec: validate: # Checks if the group is logaccess. If yes, exits with code 100. If no, # exits with code 101 and proceeds to the `enforce` step. script: if stat -c '%G' /var/log/auth.log | grep -q 'logaccess'; then exit 100; else exit 101; fi interpreter: SHELL enforce: # Changes the group to logaccess and exits with code 100. script: chgrp logaccess /var/log/auth.log && exit 100 instanceFilter: inclusionLabels: - labels: vm: tutorial rollout: disruptionBudget: fixed: 10 minWaitDuration: 30s
Apply the OS policy assignment to VMs
To apply the OS policy assignment to your VMs, do the following:
Apply the OS policy using the
gcloud compute os-config os-policy-assignments createcommand:
gcloud compute os-config os-policy-assignments create log-access-assignment \ --location=us-west1-a \ --file=log-access-os-policy-assignment.yaml \ --async
The OS policy assignment rolls out to the VMs as per the rollout specifications mentioned in the
Confirm that the OS policy assignment successfully rolled out to the VMs and that the OS policy assignment successfully updated the default group using the
gcloud compute os-config os-policy-assignment-reports listcommand:
gcloud compute os-config os-policy-assignment-reports list --location=us-west1-a
Add users to the OS Login Linux group
When you add a user to an OS Login Linux group, the user inherits the
permissions of the group in all VMs that have OS Login enabled.
For this tutorial, any user that you add to the
logaccess group can view the
auth.log file without the
roles/compute.osAdminLogin IAM role.
View the Cloud Identity Help documentation to learn how to
add a user to the
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the project
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Delete individual resources
Delete the VMs you created using the
gcloud compute instances delete command:
gcloud compute instances delete tutorial-1 tutorial-2 tutorial-3 \ --zone=us-west1-a