Not able to SSH into VM of other people despite my admin role

In a GCP Project, user ABC and user XYZ are invited by the owner. Both ABC and XYZ are given the role of ‘Compute Admin’.

ABC created a few VM without External IP, and then ABC can SSH into them.

But then XYZ can’t SSH into them, so the owner added 4 more roles to XYZ but still he couldn’t SSH into those VMs created by ABC. (The 4 roles added are ‘Compute Instance Admin (beta)’, ‘Compute Instance Admin (v1)’, ‘Compute OS Admin Login’, and ‘Compute OS Login’).

Eventually, I found out that the error message actually tells me XYZ can’t do so because there is no External IP. So eventually solved this by making XYZ to be owner too, temporarily.

Is this expected? I thought with the 4 additional roles given XYZ should be able to SSH into those VMs, regardless of have public IP or not. What am I missing here (or is this some kind of security-mantra or best-practice that somehow just I’m not aware of)?

Best Regards,

Wai Keat

Could I know how user XYZ connected to these VM via SSH?

I tried to reproduce your issue, to connect to VM without External IP via clicking SSH button in Cloud Console UI and run command “gcloud compute ssh [Instance_Name] --zone=[Zone_Name]”, both of them’re using IAP tunneling without any issue.

Where is ABC ssh’ing from and to? and how?

If the VM has no External IP, he should be able to only SSH in via Cloud Shell or Console UI as outlined by @HaoZha above. The other is if there’s some sort of Cloud VPN setup and so ABC can ssh in from his laptop/localhost.

So…how is XYZ trying to ssh in?

By hovering his mouse cursor over to the SSH button, but then it is grey-out.

That’s how it looks like when I say “they couldn’t SSH into”.