I cannot access to it via SSH. From my console I enter the
valid command : gcloud compute --project " ssh
--zone "" ""
But I keep having the following error message:
Permission denied (publickey).
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
- Then I did revoke the SSH: gcloud auth revoke --all
- Then I did: gcloud auth login
- Then tried to access the vm again with:
gcloud compute --project " ssh --zone """"
I got the following errors:
ERROR: (gcloud.compute.ssh) Could not fetch resource:
- Required 'compute.instances.get' permission for 'projects
Please Help.
Thanks
Permission denied (publickey). ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
This error seems to refer to some error with the SSH keys or an incomplete Linux Guest environment.
I'm wondering what is the purpose on running gcloud auth revoke --all
Can you provide the output of the following commands?
$ gcloud compute instances describe name-of-your-instance --zone
zone-the-instance-is-in --project name-of-your-project
$ gcloud compute instances get-serial-port-output name-of-your-instance
--zone zone-the-instance-is-in --project name-of-your-project
$ gcloud compute firewall-rules list --project name-of-your-project
The commands can be helpful because:
- With this command we can check the state of the ssh keys on the
instance and the scopes that are enabled in the instance (along with
other info)
- This command provides the serial output log entries from the instance that can help troubleshoot the connection issues you're experiencing. Note that this logs are wiped after a reboot of the instance so don't expect persistent logs here, but this info can be useful for your case.
- This command outputs the firewall rules within your project; there should be a default or curated firewall rule allowing TCP ingress traffic on port 22, if not (you'll need to create one).
Have you tried to SSH from the browser in incognito mode?
Sometimes, browser extensions can prevent the normal functioning of the SSH over the browser feature, that's why I recommend the incognito mode.
EDIT
In order to make this post useful (and easier to read) for the community I'm summarizing here some of the comments from below:
Error shown:
Could not fetch resource: - Required 'compute.instances.get' permission for 'projects//zones//instances/
What to do: Check the user roles/permissions
$ gcloud beta iam roles list --account your-account-here
> --- description: Full management of App Engine apps (but not storage).
> etag: AA== name: roles/appengine.appAdmin stage: GA title: App Engine Admin
> --- description: Ability to view App Engine app status. etag: AA== name: roles/appengine.appViewer stage: GA title: App Engine Viewer
From the output above: the user has only App Engine permissions (but not permissions in Compute Engine)
What to do: ask the project owner to add a role that grants the user access to the GCE instances (Instance Admin Role, Compute Admin Role)
List of the available roles here: cloud.google.com/compute/docs/access/iam#instance_admin_role
Required info, run 2 commands:
in order to check the log from the instance:
$ gcloud compute instances get-serial-port-output name-of-your-instance --zone zone-the-instance-is-in --project name-of-your-project
SeaBIOS (version 1.8.2-20180102_145157-google) Total RAM Size = 0x000000006cc00000 = 1740 MiB CPUs found: 1 Max CPUs supported:
256 found virtio-scsi at 0:3 virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0 removable=0
virtio-scsi blksize=512 sectors=20971520 = 10240 MiB drive 0x000f2330: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=20971520
Booting from Hard Disk 0... [ 0.000000]
Initializing cgroup subsys cpuset [ 0.000000]
Initializing cgroup subsys cpu [ 0.000000]
Initializing cgroup subsys cpuacct [ 0.000000]
Linux version 3.16.0-0.bpo.4-amd
to confirm there's a firewall rule allowing ingress traffic on port 22:
$ gcloud compute firewall-rules list --project name-of-your-project
NAME NETWORK DIRECTION PRIORITY ALLOW
default-allow-ssh default INGRESS 65534 tcp:22
From the output above the firewall rule allowing SSH traffic has priority 65534.
Priority is an integer from 0 to 65535, both inclusive.
Lower value of priority implies higher precedence.
In other words, 1 is higher priority than 2.
You can read this document for further explanation
Update the firewall rule to set a higher priority.
To do so run the command:
$ gcloud compute firewall-rules update --priority 1000 default-allow-ssh
Issue: I tried to SSH into the instance I still got the same old error : ssh: connect to host X.XX.XX.XX port 22: Operation timed out ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255]
Check if the ssh service is running in the instance.
Run the following command to get the IP of the instance:
$ gcloud compute instances describe [NAME_OF_YOUR_INSTANCE] --format='get(networkInterfaces[0].accessConfigs[0].natIP)'
Install netcat => is a computer networking utility for reading/writing to network connections:
$ sudo apt-get install netcat
Run the following command to check the output of the command:
$ nc [EXTERNAL_IP] 22
>
Issue: Nothing is returned from running nc [EXTERNAL_IP] 22
Check if the Linux Guest Environment is enabled in your instance.
To do so, you should add an startup script on the GCE instance.
To add the startup script to the instance:
- Click on the instance name
- Click on edit
- Go to the "custom metadata" section
- In the "Key" text field add: startup-script
- In the "Value" text field add:
#! /bin/bash sudo systemctl list-unit-files | grep google | grep enabled
- Save the changes
More detailed info on startup scripts is also available.
Then restart the instance so to allow the script to execute.
Verify that the Linux Guest Environment scripts are installed and running.
To do so, check the output of the startup script in the serial log console from the GCE instance.
You can check the expected outputs for the different Operating Systems.
If the Linux Guest Environment is not installed, re-install it.
You can follow this documentation to install the LGE.
I was getting the same error (Required 'compute.instances.get' permission for 'projects) and then I used the project id instead of the project name in the gcloud command and it worked.
I assigned the 'Compute Instance Admin' role to the user, I used to login with gcloud. This role includes the 'compute.instances.get' permission.
Check your list of firewalls with the gcloud compute command-line tool and ensure the default-allow-ssh rule is present. See troubleshooting-ssh
gcloud compute firewall-rules list
If the firewall rule is missing, add it
gcloud compute firewall-rules create default-allow-ssh --allow tcp:22
Output:
Creating firewall...⠧Created [https://www.googleapis.com/compute/v1/projects/marketstore/global/firewalls/default-allow-ssh].
Creating firewall...done.
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED
default-allow-ssh default INGRESS 1000 tcp:22 False