Configure granular access within VMs

Linux

On Compute Engine, you can use OS Login to grant users access to VMs and to restrict the users with sudo access. If you want to control which users can view or run specific files and executables in VMs, you can use OS policies to roll out policies that automate and centralize the management of files within your VM fleet.

This tutorial shows you how to grant view access to the auth.log file (/var/log/auth.log) on multiple VMs to a group of users who don't have sudo access, using OS Login groups and OS policies.

In most default configurations, the auth.log file permissions are set to 640 and the file is owned by the group adm. A user who isn't granted the roles/compute.osAdminLogin IAM role isn't in the adm group, doesn't have sudo access, and therefore doesn't have read access to the file.

While this tutorial focuses on managing user permissions to a specific file, the workflow can be modified and used for setting permissions on other files or executables on a VM.

Objectives

In this tutorial you'll learn the following:

How to create an OS Login Linux group
How to use an OS policy assignment to change the group permissions of a file in multiple VMs at once

Costs

In this document, you use the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, see Clean up.

New Google Cloud users might be eligible for a free trial.

Before you begin

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector
Make sure that billing is enabled for your Google Cloud project.
Install or update to the latest version of the Google Cloud CLI.
Ensure that you're a Cloud Identity Groups administrator for your organization. If you aren't a Groups administrator, have your organization's Groups administrator create an OS Login Linux group for you.
Enable VM Manager.

Prepare the environment

Before you can grant access to the auth.log file, you need to create some VMs.

Create three VMs using the gcloud compute instances bulk create command:

gcloud compute instances bulk create \
    --name-pattern=tutorial-# \
    --zone=us-west1-a \
    --count=3 \
    --labels=vm=tutorial \
    --metadata=enable-oslogin=TRUE

You see a message similar to the following:

`Bulk create request finished with status message: [VM instances created: 3, failed: 0.]`

Set group permissions for the `auth.log` file

To grant a user read access to the auth.log file without granting them the roles/compute.osAdminLogin IAM role, change the group which owns the file to a Linux group that the user is a member of.

Create an OS Login Linux group

You can create an OS Login Linux group to add a supplementary Linux group that appears on each VM that has OS Login enabled. By creating an OS Login Linux group instead of a local supplementary Linux group, you can control the Linux group on all VMs in a unified way.

To create an OS Login Linux group use the gcloud beta identity groups create command:

gcloud beta identity groups create logaccess@ORGANIZATION_DOMAIN \
    --organization=ORGANIZATION_DOMAIN \
    --posix-group=gid=12345,name=logaccess

Replace ORGANIZATION_DOMAIN with the domain (example.com) associated with your organization.

Create an OS policy assignment

You can use OS policies to automate and centralize the configuration of your VMs. You apply OS policies to VMs using OS policy assignments. By creating an OS policy assignment with an OS policy that changes the default group of the auth.log file, you can change the default group of the auth.log file in multiple VMs at once, instead of applying the change to one VM at a time.

To create an OS policy assignment, do the following:

Open a terminal on your workstation.
Create an OS policy assignment .yaml file by running the following command:
```
touch tutorial-os-policy-assignment.yaml
```

Open the tutorial-os-policy-assignment.yaml file in a text editor and add the following specifications:

# OS policy assignment that sets the /var/log/auth.log group to logaccess.
osPolicies:
 - id: log-access-policy
   mode: ENFORCEMENT
   resourceGroups:
       resources:
         - id: grant-log-access
           exec:
             validate:
               # Checks if the group is logaccess. If yes, exits  with code 100. If no,
               # exits with code 101 and proceeds to the `enforce` step.
               script:
                 if stat -c '%G' /var/log/auth.log | grep -q 'logaccess'; then exit 100; else exit 101; fi
               interpreter: SHELL
             enforce:
               # Changes the group to logaccess and exits with code 100.
               script:
                 chgrp logaccess /var/log/auth.log && exit 100
instanceFilter:
 inclusionLabels:
   - labels:
       vm: tutorial
rollout:
 disruptionBudget:
   fixed: 10
 minWaitDuration: 30s

Apply the OS policy assignment to VMs

To apply the OS policy assignment to your VMs, do the following:

Apply the OS policy using the gcloud compute os-config os-policy-assignments create command:
```
gcloud compute os-config os-policy-assignments create log-access-assignment \
   --location=us-west1-a \
   --file=log-access-os-policy-assignment.yaml \
   --async
```
The OS policy assignment rolls out to the VMs as per the rollout specifications mentioned in the tutorial-os-policy-assignment.yaml file.
Confirm that the OS policy assignment successfully rolled out to the VMs and that the OS policy assignment successfully updated the default group using the gcloud compute os-config os-policy-assignment-reports list command:
```
gcloud compute os-config os-policy-assignment-reports list --location=us-west1-a
```

Add users to the OS Login Linux group

When you add a user to an OS Login Linux group, the user inherits the permissions of the group in all VMs that have OS Login enabled. For this tutorial, any user that you add to the logaccess group can view the auth.log file without the roles/compute.osAdminLogin IAM role.

View the Cloud Identity Help documentation to learn how to add a user to the logaccess group.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

In the Google Cloud console, go to the Manage resources page.
Go to Manage resources
In the project list, select the project that you want to delete, and then click Delete.
In the dialog, type the project ID, and then click Shut down to delete the project.

Delete individual resources

Delete the VMs you created using the gcloud compute instances delete command:

gcloud compute instances delete tutorial-1 tutorial-2 tutorial-3 \
    --zone=us-west1-a

What's next

Learn more about OS Login
Learn more about VM Manager
Explore reference architectures, diagrams, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.