Ensure project instance does not override the project setting enabling OSLogin

Error: Project instance overrides the project setting enabling OSLogin

Bridgecrew Policy ID: BC_GCP_NETWORKING_10
Checkov Check ID: CKV_GCP_34
Severity: MEDIUM

Project instance overrides the project setting enabling OSLogin

Description

Enabling OSLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management. This is useful in handling cases such as response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.

We recommend you enable OSLogin to bind SSH certificates to IAM users and facilitates effective SSH certificate management.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Metadata.
  3. Click Edit.
  4. Add a metadata entry where the key is enable-oslogin and the value is TRUE.
  5. To apply changes, click Save.
  6. For every instances that overrides the project setting, go to the VM Instances page
    at https://console.cloud.google.com/compute/instances.
  7. Click the name of the instance on which you want to remove the metadata value.
  8. To edit the instance settings go to the top of the instance details page and click Edit.
  9. Under Custom metadata, remove any entry with key enable-oslogin and the value
    is FALSE.
  10. To apply your changes to the instance, navigate to the bottom of the instance details page and click Save.

CLI Command

  1. To configure oslogin on the project, use the following command:
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
  1. To remove instance metadata that overrides the project setting, use the following command:
gcloud compute instances remove-metadata INSTANCE_NAME --keys=enable-oslogin

Optionally, you can enable two factor authentication for OS login. For more information, see https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication.

Fix - Buildtime

Terraform

  • Resource: google_compute_project_metadata

  • Argument: enable-oslogin

  • Resource: google_compute_instance

  • Argument: enable-oslogin
    Should not override project metadata: should not be set to false.

//Option 1
resource "google_compute_project_metadata" "default" {
  metadata = {
+    enable-oslogin = true
  }
}

//Option 2
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  boot_disk {}
  metadata = {
-     enable-oslogin = false
  }
}