Impersonating service account principal for SSH login in Linux IAP

Hi, I use IAP to ssh into our instances. Is it possible to login into Linux as a service account principal that is not mine? I’ve tried impersonation but it still uses my own id instead of the service account that’s impersonated. My goal is to have a shared service account that users can impersonate, So we can remove specific users from the list of who is allowed to access VM. And also to avoid having many home folders in the instances. Is that possible? Am I thinking about this wrong?

IIRC, you can just specify whatever username you want it to be on the target system on the command line

[...]
foouser@xyz ~ $ whoami```

https://stackoverflow.com/questions/43565660/gce-different-username-if-i-use-ssh-or-log-in-from-terminal

Not sure if that is exactly your use case, but I think same idea… basically, the calling user doesn’t need to user impersonation, just has to have the permissions to ssh to the instance or to instances in the project, and the actual target username to use on the target system is totally unconnected to IAM permissions

thanks! I also just discovered now that user@instance is a thing. It works but now I would like to force to use that user only and block all others. Is that more a linux thing?

yeah, not sure if there’s a way to allow / disallow this at GCP level (tend to assume not), but I’m not 100% sure how the auto-adding / provisioning of users work.

Setting AllowUsers / AllowGroups etc. in the sshd_config will be at least one way to do this. Just be careful not to lock yourself out