Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Different username with oslogin enabled - clarification needed

See original GitHub issue

I created a VM instance (Ubuntu 18.04) using the web interface. The Ubuntu username I was given was the same as the username part of the gmail address I am logged in with (project owner, no organisation): username.

I then enabled OS Login to be able to use a third party SSH client - specifically, I wish to be able to ssh username@external.ip from my local console.

With OS Login enabled, I used gcloud to upload an SSH key to my project’s metadata, after having logged in with that same gmail address again (following gcloud auth login). The username in that specific key is that same (full) gmail address. The output of the gcloud ssh-keys add command showed as username: username_gmail_com, rather than username.

I then found that I can only ssh using this new Ubuntu username: username_gmail_com. This new Ubuntu user has been created on my VM and logging in using the web interface also takes me to this new user.

When I disable OS Login again, I’m taken to the old username through the web interface. I can’t use local ssh command (of course).

I can solve this discrepancy and the inconvenience it causes by creating a new VM while having OS Login enabled.

However, I’m looking for clarification:

Why is the username different when enabling OS Login?
Why user_gmail_com rather than just user?

I’d be grateful for an explanation.

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:9 (5 by maintainers)

Top GitHub Comments

2reactions

wbkoetsiercommented, Nov 29, 2018

I’ve read both and from where I am now clarity has much improved. 👍

If a username is not set by a G Suite administrator, OS Login generates a default Linux username by combining the username and domain from the email associated with the user’s Google profile. This naming convention ensures uniqueness. For example, if the user email associated with the Google profile is user@example.com, then the generated username is user_example_com.

I would like to suggest to add to this text that the individual user is unable to change the default username. For example:

If a username is not set by a G Suite administrator, OS Login generates a default Linux username by combining the username and domain from the email associated with the user’s Google profile. For example, if the user email associated with the Google profile is user@example.com, then the generated username is user_example_com. This naming convention ensures uniqueness. The generated username is immutable.

(Feel free to change the wording if it’s inappropriate, English is not my native language. My aim was to use an active form, staying away from negative verbs such as “can’t”.)

While I’m at it, in the chapter “Configuring OS Login roles on user accounts”, bullet point 1: “Users must have the following roles:” the role “roles/iam.serviceAccountUser” is mentioned.

Using the web interface, I found this role under “Service Accounts”, not under “IAM”. Either this has recently changed but the docs are behind, or it’s just a minor difference in menu structure. Whichever it is, it should probably be mentioned.
Also, for “osLogin” role, 2 roles are proposed: osLogin and osAdminLogin. I found that under “Service Accounts”, I was offered “serviceAccountUser” as well as “serviceAccountAdmin”. Either this role could be added to the bullet point, or if it’s an inappropriate role this should probably be mentioned.

For bullet point 1, I suggest something like:

One of the following service account roles:

roles/iam.serviceAccountUser, which [add short explanation here]

roles/iam.serviceAccountAdmin, which [add short explanation here] Note that when using the Google Cloud Platform Console, these roles can be found under Service Accounts.

Or:

roles/iam.serviceAccountUser.

* Note: Do not set roles/iam.serviceAccountAdmin, because [a good reason].

I hope this helps. Either way, thanks for updating the docs.

1reaction

illfeldercommented, Jul 8, 2020

Please take a look at the public docs for Managing OS Login in an Organization for information on setting POSIX information for G Suite users. Please feel free to send feedback on any of the public docs if there are gaps in the information they provide.