When OS Login is enabled, and a user is granted access by having either the "Compute OS Login" or "Compute OS Admin Login" roles, they can run sudo.
In my experience, the per-user sudoers file always has this permission:
# cat /var/google-sudoers.d/first_last_example_com
first_last_example_com ALL=(ALL) NOPASSWD: ALL
Is it possible to customize these permissions or even disable sudo completely for a specific user or group?
A user with the role
roles/compute.osLoginshould be able to login but should not be able to runsudo.The role
roles/compute.osAdminLoginis required to login and usesudo.Double-check the IAM roles you have assigned to users.
There are roles that include
roles/compute.osAdminLogin, so you might be granting admin rights without realizing it. If the user has the primitiveroles/ownerorroles/adminrole, or if they haveroles/compute.instanceAdmin, these roles already include instance access roles with administrator permissions.Google Compute Engine supports startup scripts link. You can remove users in the
google-sudoersgroup by adding the following script.