[SOLVED] Issue with `constraints/compute.disableSshInBrowser` Not Effectively Blocking SSH-in-Browser Access in GCP

Issue

Issue Summary

Despite enforcing the constraints/compute.disableSshInBrowser policy in our Google Cloud Platform (GCP) organization, I am encountering an unexpected behavior where SSH-in-browser access to instances is still possible. This policy is intended to disable the SSH-in-browser tool in the Cloud Console, and it is correctly applied and active on the relevant projects.

Detailed Description

The organization policy constraints/compute.disableSshInBrowser is set to enforce the restriction of SSH access via the browser. This policy, when enforced, should ideally disable the SSH-in-browser button in the Cloud Console, making it impossible to initiate SSH sessions in this manner. However, I have observed that despite this policy being active and correctly set up in our GCP organization, it is still possible to initiate SSH sessions to instances via the browser.

Steps to Reproduce

1. Confirm that constraints/compute.disableSshInBrowser is enforced in the organization policy.
2. Navigate to the Cloud Console.
3. Attempt to initiate an SSH session to an instance via the SSH-in-browser tool.
4. Observe that the session is successfully established despite the policy.

Expected Behavior

With the constraints/compute.disableSshInBrowser policy enforced, any attempts to use the SSH-in-browser tool should be blocked, and the SSH-in-browser button in the Cloud Console should be disabled.

Actual Behavior

The SSH-in-browser tool remains accessible, and SSH sessions can be initiated despite the policy being enforced.

Impact

This issue poses a significant security concern, as it allows for SSH access methods that the organization's policy explicitly intends to restrict. It undermines the policy enforcement mechanism in GCP and potentially exposes the organization to unauthorized access risks.

Additional Information

• The policy is confirmed to be in an enforced state.
• This issue has been replicated across multiple projects within the organization.
• No exemptions have been set for any projects or instances that could override this policy.

Request

I am seeking assistance from the GCP community to understand the root cause of this issue and to find a solution to ensure that the constraints/compute.disableSshInBrowser policy is effectively enforced across all applicable projects in our organization.

Solution

SSH Browser is still accessible even if policy constraints/compute.disableSshInBrowser is enabled it’s because The disableSshInBrowser was introduced for a few customers to comply with data sovereignty requirements as a temporary measure, but now has been deprecated and currently there is no way to disable SSH in the browser.

Also, this is a known issue which is already faced by multiple customers and the issue is raised in PIT, Seems the team is working on this issue. You can follow this public issue tracker for further updates on this issue.

Answered By - Fariya Rahmat

Answer Checked By - Marilyn (WPSolving Volunteer)