Skip to main content
tprashanth

1 week ago

When connected to Bastion host, why id changed to Service Acct?

Hi Matt - Under the Bastion Host lecture, when logged from external host to Bastion host, why the account changed from login account (used while doing "gcould init") to service account? If I compare with on-prem hosts using my ID, if I SSH from one host to another, it displays user id as my own on the 2nd host .


Why is the behavior on GCP is different?

Further, in order to connect from Bastion host to another Internal host, you mentioned that the Compute Engine scope for the service account needs to be enabled. Is it about attaching a policy/role (something like  compute.editor) to the service account? Can you please elaborate on this?

Thank you,
Prashanth.

Image of
6 days ago

Matt's out of the office until Wednesday, but he'll get back to you then.


Image of
6 days ago
This isn't a bastion host behavior, but a GCP Compute Engine behavior regardless if you're using a bastion host or just logging into any GCE instance, which is also by design. When you SSH into a GCE instance, the instance assumes the identity of the instance's service account. This is how GCP works. You do have the option of running gcloud init when in the instance to switch to your account, however.
Image of tprashanth
tprashanth
2 days ago
Thank you Matt