Managing cloud server users on Google Compute Engine (GCE)

In the past two years, a new major player in the world of Infrastructure-as-a-Service (IaaS) has emerged, demonstrating impressive adoption and subsequent growth in the sector. In June of 2012, Google launched it’s Google Compute Engine, a service which enables the rapid creation of virtual machines that range in size and scope from ephemeral test instances with nearly no workload, to large scale server infrastructure demanding industrial strength computing power.

As companies adopt more and often heterogeneous IaaS in addition to other “on-prem” device adoption (think Mac OS X now penetrating the enterprise), the management and provisioning of identity must be simplified, yet securely handled, across this infrastructure. In this brief article, we will discuss Google’s Compute Engine platform and provide a walk through of the rapid creation and deployment of users onto a VM.

What is Google Compute Engine (GCE)

GCE is a part of Google’s Cloud Platform and is an offering which enables Infrastructure-as-a-Service for end users—virtual machines hosting servers, load balancing, network infrastructure, security and more. It is analogous to Amazon’s Elastic Cloud Computing platform or EC2. GCE is built upon the same infrastructure used to host and support their own global product offerings such as Gmail and YouTube.

GCE provides the ability for virtual machine creation, monitoring, and management. These VM’s can be ephemeral or static, enabling both stable server infrastructure and hosting, to quick instance creation for development and testing purposes where the server can be “thrown away.” Currently, GCE supports Linux instances of the following flavors:

• Debian 7
• CentOS 6 & 7
• CoreOS
• OpenSUSE 13.x
• Red Hat Enterprise and Red Hat Enterprise Server
• SUSE Linux Enterprise Server 11 & 12
• NVMe Optimized Debian
• Microsoft Windows Server 2008 (2012 coming soon at time of writing)

GCE users may also create virtual machines utilizing custom images.

Accessing Google Compute Engine

The Google Compute Engine platform can be accessed and operated in a variety of ways. Users of the management console will authenticate via OAuth (2.0). The platform itself can be accessed via the development console, through its RESTful API or finally through SSH and its command line interface. JumpCloud will enable users to deploy agents directly on these GCE instances, providing a secure connection to the JumpCloud Administrative Console to perform operations described below in detail.

JumpCloud and Google Compute Engine

JumpCloud provides a Directory-as-a-Service™, or DaaS, to provide authentication, authorization, and overall management of users and IT resources they require access to such resources as applications or servers managed on Google Compute Engine. DaaS provides myriad services for sysadmins to simplify management chores and operations to increase efficiency, bolster security, and make all on premise infrastructure (e.g., servers, desktops, laptops) or IaaS (for example, AWS, GCE) “feel” the same. A list of these general areas of functionality JumpCloud provides for GCE administrators follows:

User Management

Use JumpCloud to easily create, deploy, and manage users to Google Compute Engine infrastructure. JumpCloud DaaS allows admins to:

• Add, edit, or delete users to servers quickly and easily
• Provision administrative functions such as sudo and public keys for each user
• Create and manage UID and GID for users across all infrastructure
• End-user self management through JumpCloud user console

System Management

Use JumpCloud to manage Google Compute Engine instances side-by-side with other on-premise, or IaaS servers, from a single interface.

• Manage all servers and workstations across OS’s from a single console
• Manage Public Key settings and authentication
• Enable Multi-Factor Authentication (Linux)
• Control SSH root login

Command Execution

JumpCloud lets you run commands across any number of servers (Windows or Linux) or tags in parallel, get back command results (including stdout, stderr, and exit code), schedule commands without the pain of cron, and much more.

LDAP Support

JumpCloud’s hosted LDAP solution offers organizations a simple, efficient alternative to hosting and managing their own LDAP solution. JumpCloud provides a single, central directory that can be leveraged across an entire enterprise by multiple devices, applications, and users. Users can be populated in the central user store and hosts such as Linux on GCE or IT applications can easily pointed to JumpCloud’s secure LDAP endpoint.

A Step-by-Step Walk-Through:

Creating and Provisioning a User on GCE with JumpCloud.

In order to complete these steps, you must first sign up for the DaaS service, and be signed up with GCE, at www.jumpcloud.com. There is no obligation to buy anything because JumpCloud charges on a per-managed-user basis and provides the first 10 users of the directory—free. Further, we’ll assume you have already created a virtual Linux machine on GCE for testing these steps.

Installing the JC-Agent on a GCE instance.

To install the JC-Agent no your GCE instance, follow these simple steps:

• Installation of the agent—In JumpCloud, proceed to the “Systems” tab and select “Add System” as seen below.

• Select Linux option and copy the Agent code to your clipboard. This is unique to you and your organization.

• In GCE, open up an SSH window and simply deploy and run the script as you see here:

• The script will run and complete by downloading and starting the agent. Please be sure to review the supported OS version document here before proceeding.

Creating a User in JumpCloud

With the Agent deployed on the Linux instance, it is time to create users.

• Proceed to the Users pane of the product and select “Add User.”
• Simply input the user metadata as you see here (or as desired) and select the option for sudo and other administrative capabilities.

• Click Add User when complete.

Activating the User

With the user created, and email is sent to the address the sysadmin input upon creation and this user must activate the account. The user will not be deployed until this step is completed.

• Finalize account creation:

• Optional steps to enable MFA (for Linux):

Associating the User with the VM in JumpCloud

With the system now registered and the user created in JumpCloud, the “association” of these two objects will establish the user on that instance. This is done through JumpCloud’s “Tag” system, much like other directories “Grouping” mechanism.

• Proceed to JumpCloud’s Tag page and select “Add Tag.”
• Create a logical grouping “tag” and associate the user(s) to the system(s) they need access to. In this example, I’ve created a “Service Accounts” tag/group to deploy my “testuser” on the GCE CentOS VM:

• Click Add Tag when done and the user will be deployed to the instance.

Confirming the user on the GCE VM:

• Using the SSH console in the GCE dashboard, run one of the various commands to list users, such as this one listing all users with a home directory:

cat /etc/passwd | grep /home | cut -d: -f1

Using JumpCloud with Google Compute Engine is efficient and simple, requiring minimal knowledge of the GCE platform as it acts as an abstraction layer across any virtualized or physical on-premise infrastructure. The example above was for one operation (creating and provisioning a user to a GCE VM) but JumpCloud’s depth of operations spans myriad chores, saving countless hours of repetitive and potentially error prone tasks.

Please visit www.jumpcloud.com today or reach us at [email protected] to discuss how Directory-as-a-Service™ can simplify user management on Google Compute Engine.