ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

When attempting to connect to a Google Cloud Platform (GCP) VM using the gcloud compute ssh command with the --tunnel-through-iap flag, you may encounter the following error:

gcloud compute ssh --zone "us-west1-b" "gcp-vm-instance-1" --tunnel-through-iap --project "demo-project"
mouli_gmail_com@compute.2231702132522436415: Permission denied (publickey).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

This error occurs despite having set the “enable-oslogin=TRUE” metadata.

Solution: Grant “roles/iam.serviceAccountUser” to the User

To resolve this issue, grant the “roles/iam.serviceAccountUser” role to the user to provide the necessary access.

Follow the steps below:

To view login and administrative level permissions, query the user profile to get the value of the name field:

curl "http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?policy=login&email=user_email" -H "Metadata-Flavor: Google"

Example:

curl "http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?policy=login&email=mouli@gmail.com" -H "Metadata-Flavor: Google"

Note

If a user is granted the roles/compute.osLogin access role and the authorization output returns {"success" : false}, it indicates that the user might be missing the roles/iam.serviceAccountUser permission for the service account associated with the VM.

Make sure to address any permission issues to ensure successful SSH access to GCP VMs configured with “enable-oslogin=TRUE”.