ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
When attempting to connect to a Google Cloud Platform (GCP) VM using the gcloud compute ssh
command with the --tunnel-through-iap
flag, you may encounter the following error:
gcloud compute ssh --zone "us-west1-b" "gcp-vm-instance-1" --tunnel-through-iap --project "demo-project"
mouli_gmail_com@compute.2231702132522436415: Permission denied (publickey).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
This error occurs despite having set the “enable-oslogin=TRUE” metadata.
Solution: Grant “roles/iam.serviceAccountUser” to the User
To resolve this issue, grant the “roles/iam.serviceAccountUser” role to the user to provide the necessary access.
Follow the steps below:
To view login and administrative level permissions, query the user profile to get the value of the name field:
curl "http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?policy=login&email=user_email" -H "Metadata-Flavor: Google"
Example:
curl "http://metadata.google.internal/computeMetadata/v1/oslogin/authorize?policy=login&email=mouli@gmail.com" -H "Metadata-Flavor: Google"
Note
If a user is granted the roles/compute.osLogin
access role and the authorization output returns {"success" : false}
, it indicates that the user might be missing the roles/iam.serviceAccountUser
permission for the service account associated with the VM.
Make sure to address any permission issues to ensure successful SSH access to GCP VMs configured with “enable-oslogin=TRUE”.