I feel bad now. I was confused about the configuration of two similar VMs. One of which does have an external IP. I just realized that the other one that I was trying to set up did not have access to the internet. Now that I enabled external network access, the os config policy is working. I guess my question becomes what's the minimal level of external network connectivity is required for osconfig to work, but that's a separate issue.

The answer to my "minimal network access" questions is likely:

If your VM is running within a private VPC network and does not have public internet access, check that you have enabled Private Google Access.

According to the docs.

Glad it worked! 🙂

Can you please apply the roles roles/osconfig.osPolicyAssignmentAdmin, roles/osconfig.osPolicyAssignmentEditor, and roles/osconfig.osPolicyAssignmentViewer to the service account [1]. The Admin role has all the permissions of the Editor and Viewer, but you can try applying it all just for the sake of testing purposes.

• OSPolicyAssignment Admin (roles/osconfig.osPolicyAssignmentAdmin). Contains permissions to create, delete, update, get and list OS policy assignments.
• OSPolicyAssignment Editor (roles/osconfig.osPolicyAssignmentEditor). Contains permissions to update, get, and list OS policy assignments.
• OSPolicyAssignment Viewer (roles/osconfig.osPolicyAssignmentViewer). Contains permissions for read-only access to get and list OS policy assignments.

[1]. https://cloud.google.com/compute/docs/os-configuration-management/manage-os-policy

These permissions don't seem to be required. The service account only has roles/viewer now and that's enough for osconfig to work (though maybe too much).

Hi @gnezdo,

Can you please run through this document and check for a possible misconfiguration in your setup - Verifying VM Manager setup. 

Another possible cause of this issue is that you have Secure Boot on. You may try turning it off by:

1. Stop the VM
2. Turned off the Secure Boot

3. Start the VM
4. Connect to the VM