I am using OS-login to manage all VM ssh access. It’s great.
I would like to preconfigure some VM home files for new users. This involves creating a network based home directory and assigning some files to a users UID.
The issue I am having is that before a user has username and uid assigned to them, which I can use for network file permissions for their files, they appear to need to log in to a machine.
After that it seems the nss cache can be updated with sudo google_oslogin_nss_cache and then their user info is viewable with getent passwd.
I wanted to better understand exactly when the user id is populated and made available for nss? Am I correctly understanding that it is on first login? Is there anyway to force the creation of an os_login username for a new user who exists on a GCP project (has IAM roles), but has not yet logged into any machines?
It seems to say that we can define properties that will apply when a user logs in. This includes the userid being used as well as the UID and GID values. So, in principle, depending on your corpus of users … if they are configured in your Google Cloud domain you can pre-assign them these values and all should be good.
Ok makes sense. So what you’re describing would be to make a call to the update method of the Workspace Directory API and add a PosixAccounts object to a user who exists on workspace. Via the method described here?
Howdy Jackson … I’m going to yes (in Italtics). I personally haven’t tried it before … but the theory sounds good. What I’d suggest is that instead of writing a lot of code to do this, we use some “CURL” commands and do some experimentation first. The documentation seems to hold up, but if I were sitting in your seat, I’d choose a sample user … given them “Posix” attributes, perform a Compute Engine SSH OS-Login and validate that they have the correct UID/GID that we expect.