Good morning, all.
I'm a Google Cloud Engine user facing a strange SSH access issue with a specific project.
Some months back, we changed our Google Workspace primary domain.
This also resulted in changing the admin email address and the subsequent result on GCP resources.
When I visited a project I have used for over 5 years, I got this:
```plaintext
Troubleshooting info:
Principal: myemail[at]domain(dot)com
Resource: hg-****atlanta
Troubleshooting URL: console.cloud.google.com/iam-admin/troubleshooter;permissions=compute.instances.list;principal=myemail[at]domain(dot)com;resources=%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2Fhg-****atlanta/result
Missing permissions:
compute.instances.list
```
The email address being used has "Owner" and "Org Admin" privileges.
So far, I haven't had any trouble accessing other projects except for a project created after the email change:
```yaml
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
"principalEmail": "myemail[at]domain(dot)com",
"principalSubject": "user:myemail[at]domain(dot)com"
},
"requestMetadata": {
"callerIp": "89.**.4.***",
"callerSuppliedUserAgent": "google-api-go-client/0.5 Terraform/1.8.1 (+https://www.terraform.io) Terraform-Plugin-SDK/2.33.0 terraform-provider-google/5.26.0,gzip(gfe)",
"requestAttributes": {},
"destinationAttributes": {}
},
},
"permissionType": "ADMIN_WRITE"
},
--- truncated ---
```
SSH access via local machine, Cloud shell, instance console simply refused to work even with "22" and:
```yaml
sourceRanges: [
0: "0.0.0.0/0"
```
Project SSH and local machine keys are inserted and OK.
Running a test resulted in:
```plaintext
Starting ssh troubleshooting for instance https://compute.googleapis.com/compute/v1/projects/customers****zxm/zones/us-central1-f/instances/$instance-2 in zone us-central1-f
Start time: 2024-05-23 00:41:40.896302
---- Checking network connectivity ----
The Network Management API is needed to check the VM's network connectivity.
Is it OK to enable it and check the VM's network connectivity? (Y/n)? y
Enabling service [networkmanagement.googleapis.com] on project [customers****zxm]...
Your source IP address is 35.***.***.***
Network Connectivity Test Result: REACHABLE
To view complete details of this test, see https://console.cloud.google.com/net-intelligence/connectivity/tests/details/ssh-troubleshoot-7t07i?project=customers****zxm
Help for connectivity tests:
https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/concepts/overview
---- Checking user permissions ----
User permissions: 0 issue(s) found.
---- Checking VPC settings ----
VPC settings: 0 issue(s) found.
---- Checking VM status ----
The Monitoring API is needed to check the VM's Status.
Is it OK to enable it and check the VM's Status? (Y/n)? y
Enabling service [monitoring.googleapis.com] on project [customers****zxm]...
VM status: 0 issue(s) found.
---- Checking VM boot status ----
VM boot: 0 issue(s) found.
```
This has happened twice with the first instance "$instance-1" instantiated on 2024-05-12 but deleted due to the same issue.
Then happening again with this VM "$instance-2".
- VM starts up successfully with no boot issues using the right service account
- have verified that SSH access to the instance is not blocked by a firewall.
- have ascertained that the root volume is not out of disk space as there is nothing yet installed
- have ascertained that the instance has not run out of memory.
- persistent SSH Keys metadata for gcloud is set for both the project and instance.
- have reset Cloud Shell
Has any wise mind ever encountered an issue like this?
And if yes, what troubleshooting sequence led to a resolution?
I do not want to delete the project and restart the creation from scratch so would be deeply grateful for any tip and/or insight that could lead to a resolution.
Thank you.
P/S: Using the wrong label as Compute is not available in the list provided.
LinkedIn
Twitter
