Summary
OS login for VMs using IAM is failing.
Detail
When using glcoud cli (gcloud compute ssh) the follow error occurs:
ERROR: (gcloud.compute.ssh) User [abc@gmail.com] does not have permission to access users instance [abc@gmail.com] (or it may not exist): End user credentials must match the user specified in the request. Request for user [ abc@gmail.com] does not match the credential for [ABc@gmail.com].
When using the browser method of clicking the SSH button on the VM instances screen the following error occurs:
End user credentials must match the user specified in the request. Request for user [ abc@gmail.com] does not match the credential for [ABc@gmail.com].
Testing
This error persists in the following actions:
- Creating new VM in existing project
- Creating new VM in new project
- Adding a principal with the lowercase email. This triggers an email to be sent for me to join my own project. Once clicked, I get sent to the GC console with a welcome screen. The lowercase principal is never added to the access list.
- Invalidate and re-auth the gcloud cli.
Background
This is a project with a VM which has been in use with os login for over a year. Login with browser base SSH and gcloud cli have were used successfully in the past. Project has one user and is largely left unattended. No actions were taken which might have modified the VM or user permissions. The specific user tired has owner permission to the project and VM.
Workaround
Disabling os login by removing the metadata tag and rebooting allows the old ssh method to work correctly.
Possible idea
The errors above have two weirdnesses to them. One is the case difference. And second is the "Request for user" has an extra space before the email address. Something seems wrong on Google's end.
Links
GCP instance ssh doesn't recognize user anymore because of different case
