Your company requires that every SSH session to Compute Engine VMs be authorized through IAM and that sudo access be granted only when explicitly approved. A developer needs temporary root-shell access to a single VM for the next seven days to apply a hot-fix. Which approach best meets the security team's requirements while minimizing manual effort?
Add the developer's public SSH key to the instance metadata and delete the key after seven days.
Enable OS Login on the VM and add an IAM conditional binding that grants the developer the roles/compute.osAdminLogin role on that instance, expiring after seven days.
Enable IAP TCP forwarding for the VM and open TCP port 22 to the IAP proxy IP range; no additional IAM roles are required.
Grant the developer the roles/compute.instanceAdmin.v1 role at the project level so they can reset the root password through the console.
OS Login maps IAM identities to Linux accounts and records each login attempt in Cloud Logging. Granting the compute.osAdminLogin role lets the user connect through SSH and use sudo. Applying the role directly to the target instance with a time-bound conditional binding limits the scope and duration of elevated privileges, satisfying least-privilege and audit requirements. Adding SSH keys to metadata or manipulating passwords bypasses IAM-based authorization and creates unmanaged credentials. Granting project-wide roles or only enabling IAP does not restrict privileges to the single VM or guarantee sudo rights.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OS Login and how does it work?
Open an interactive chat with Bash
How does IAM conditional binding work?
Open an interactive chat with Bash
What is the `roles/compute.osAdminLogin` IAM role, and why is it important?
Open an interactive chat with Bash
What is OS Login in GCP?
Open an interactive chat with Bash
What are IAM conditional bindings?
Open an interactive chat with Bash
What does the compute.osAdminLogin role provide?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .