GCE: OS login without domain suffix name

ryamy · 03-24-2022 11:31 PM

I am Google workspace user and using Google Compute Engine. When I enabled OS login for our project, then login username changed to username_with_domain_suffix.

Now I would like to change my login username as without domain_suffix, so I tried to modify username via Directory API, by update username in posixAccount section.

Currently I am granted groups admin and user management admin role in google workspace. I could get my account information from users.get API site( "Try this method" section) , but got error 403("Not Authorized to access this resource/api") response when I send to update request from users.update API site( "Try this method" section). Admin SDK API is enabled in our GCP project. How can I update our GCE login user name? Possibly super admin role is required to send update request? Any comments will be appreciated, thanks!

IkramSara

As per the document about ‘User account configuration’ for OS-login, the Cloud Identity administrators can modify usernames and Google Workspace organization administrators can change the username format to remove the domain suffix. If you are having trouble as a Google Workspace Administrator, you may need to seek additional assistance from the ‘Google Workspace’ team by following their support page which is provided here.

However, for changing the username after setting up OS Login, I would also recommend you to make sure that the OS Login is set up correctly. The OS login set up requires specific roles to be granted in order to access a VM instance.For more information about how the OS Login works, you may need to refer this document as it contains comprehensive insight and details about various access methods(including OS-login) for accessing Linux virtual machine (VM) instances running on Google Cloud . As you may probably be aware of, the help center article about 'Modifying user accounts using the Directory API’ shows in detail how different account properties can be modified and it can be very helpful to you as well.

I hope the above mentioned information was helpful to you.

ryamy

Thanks @IkramSara . Regarding to your comment, our workspace super admin already checked off 'Include the domain suffix in usernames generated by the OS Login API' checkbox in Google Admin Console, but still our username contains domain_suffix. I will ask Directory API error 403 on Google Workspace Administrator support page.

digil

By reading the information available under the OS login API, I believe you could only change the domain_suffix of a newly created user name. Therefore, I suspect the user names which are already there are immutable.

I am also not sure whether the disabling of domain suffixes is a good practice. The reason for my suspicion is that I have seen a discussion thread on github.com where they have recommended keeping the domain suffixes to keep the uniqueness of the user account.

As per the discussion, disabling the domain suffix increases the likelihood of username collisions if you have users(with the same name) with google identities from different domains (for example username@domain1.com and username@domain2.com) connecting to the same GCE VMs. The default behavior (with the help of domain name suffixes) eliminates this behavior and is easier for you to track the activity of individual users with the same name while accessing the GCE VM.

I know your use-case might be different, but I would strongly recommend you to be careful while updating the user account configuration.

ryamy

Thanks for your recommendation. It is reasonable and I can understand disabled domain_suffix increase probability of username collision. I will consider carefully whether should I change configuration or not.