DEV Community

Cover image for Part-39: ๐Ÿ” GCE VM Authentication in Google Cloud Platform
Latchu@DevOps
Latchu@DevOps

Posted on

Part-39: ๐Ÿ” GCE VM Authentication in Google Cloud Platform

a1

When working with Google Compute Engine (GCE), secure authentication is essential for accessing and managing your Virtual Machines (VMs). Depending on whether youโ€™re running a Windows VM or a Linux VM, the authentication method differs.


๐ŸŸฆ Windows VMs โ€“ Username and Password

For Windows virtual machines:

  • Authentication is done using username and password.
  • You can either:

Generate credentials using the Google Cloud Console.
Or set/reset Windows passwords via gcloud CLI.

  • Once credentials are ready, you can connect using RDP (Remote Desktop Protocol).

๐Ÿ‘‰ Suitable for administrators who manage Windows workloads with a familiar RDP login experience.


๐ŸŸฉ Linux VMs โ€“ Key-based SSH Authentication

a2

For Linux virtual machines:

  • Authentication is done via SSH keys.
  • You can:

Generate an SSH key pair (ssh-keygen) and upload the public key to the VMโ€™s metadata.
Or let GCP automatically manage SSH keys for you when you connect from the Console or gcloud compute ssh.

  • This provides strong cryptographic authentication without relying on passwords.

๐Ÿ‘‰ This is the default and recommended method for Linux workloads in Google Cloud.


GCE Linux VMs - SSH Authentication Options

Option-1: Google Cloud Console โ€“ SSH Button

a3

  1. SSH to VM Instance using Web-based or browser-based
  2. Compute Engine generates Ephemeral SSH keys to SSH to VM
  3. Your private SSH key is stored in your browser session
  4. Google doesnโ€™t have access to your private key

Option-2: gcloud cli

  1. Compute Engine creates a username and persistent SSH key pair
  2. We can reuse the same SSH key pair for future interactions using gcloud cli

a4


Step-01: Introduction

  • Metadata-managed SSH Connections

Automatically Configured at Project Level: Temporarily grant a user access to an instance (so far we are using this one)
Manually Managing SSH Keys in Metadata: Generate SSH keys and upload to Project Medatada
Instance-Level Public SSH Keys

  • OS Login-managed SSH connections (Google Recommended)
  • In this section, we are going to focus on Automatically Configured at Project Level at Project level

Step-02: Create a VM Instance

# Set Project
gcloud config set project PROJECT_ID
gcloud config set project gcpdemos

# Create VM Instance
gcloud compute instances create vm1 \
  --zone=us-central1-a \
  --machine-type=e2-micro \
  --network-interface=subnet=default \
  --tags=http-server \
  --metadata-from-file=startup-script=webserver-install.sh 
Enter fullscreen mode Exit fullscreen mode

Step-03: Connect to VM instance using Open in New browser window

  • Go to Compute Engine -> Virtual Machines -> VM Instances -> VM1 -> SSH -> Open in new browser window
  • Review Compute Engine -> Settings -> Metadata -> SSH Keys
  • What happens during this process ?
  1. By default, Google Compute Engine uses custom project and/or instance metadata to configure SSH keys
  2. If we use OS Login, metadata SSH Keys are disabled.
  3. As of now we are using this option so far, lets understand this in detail.
  4. Go to Compute Engine -> Settings -> Metadata -> SSH Keys
  5. Observation-1: We can use Username and Public Key with expiration dates.
  6. Observation-2: Username will be the user we have logged to Google Cloud Console trimming the @domain.com part of our username (Example: devops.samira@gmail.com, Username field will have devops.samira)
  7. Your public and private SSH keys are stored in your browser session.
  8. Your SSH key has an expiry of five minutes. Five minutes after Compute Engine creates the key, you can't use the SSH key to connect to the VM anymore.
  9. Compute Engine uploads the public SSH key and username to metadata.
  10. Compute Engine retrieves the SSH key and username from metadata, creates a user account with the username and public key, and stores the public key in your user's ~/.ssh/authorized_keys file on the VM.
  11. Compute Engine grants your connection

Step-03: Create new Username for automatic Metadata-Managed SSH Connection approach

  • Go to Compute Engine -> VM Instances -> vm1 -> SSH -> Open in Browser Window
  • Go to newly opened SSH Browser Window -> Settings -> Change Linux Username -> kalyanreddy -> Click on Change

  • Observation:

New SSH keys will be generated in browser session for user demouser1
We will relogin with new user demouser1

  • Review Compute Engine -> Settings -> Metadata -> SSH Keys

Step-04: SSH Connect to Linux VM using gcloud in Cloud Shell

  • Go to Compute Engine -> Virtual Machines -> VM Instances -> vm1 -> SSH -> View gcloud command
# Set GCP Project
gcloud config set project <PROJECT-ID>
gcloud config set project gcpdemos

# Connect to VM using gcloud in Cloud Shell
gcloud compute ssh --zone "us-central1-a" "vm2" --project "gcpdemos"
Enter fullscreen mode Exit fullscreen mode

Option-3: Customized Keys - Metadata managed

a5

  • Generate SSH public and private key using ssh-keygen
  • Upload public SSH key to project-level metadata or instance-level ssh keys
  • Using the private SSH key on our desktop we can ssh to linux VM using third-party tools like putty, ssh command etc

SSH Keys - Project Level Meta data

Step-01: Create SSH Keys Manually - Public and Private Key

# Switch Directory
cd ssh-keys

# Generate SSH Keys
ssh-keygen -t rsa -f ssh-keys-custom -C sshcustomuser1

# File Names
SSH Private Key: ssh-keys-custom
SSH Public Key: ssh-keys-custom.pub

# Restrict access to your private key so that only you can read it and nobody can write to it
chmod 400 ssh-keys-custom

# Copy content from ssh-keys-custom.pub
cat ssh-keys-custom.pub
Enter fullscreen mode Exit fullscreen mode

Step-02: Upload Custom SSH Public Key and Username to GCP Project Metadata

  • Go to Compute Engine -> Metadata -> SSH Keys -> Edit
  • Click on Add Item
  • Copy content of file ssh-keys-custom.pub to text box, automatically username will be populated, and click on Save
  • Refresh browser to see sshcustomuser1 public key present in Metadata.

Step-03: Connect using your Local Desktop Terminal

# Connect from MacOS / Windows10 CMD line
cd ssh-keys
ssh -i ssh-keys-custom <USER-FROM-SSH-KEYS>@<VM-Public-IP>
ssh -i ssh-keys-custom sshcustomuser1@104.198.236.153
Enter fullscreen mode Exit fullscreen mode

SSH Keys - Instance Level Metadata

Step-01: Create SSH Keys Manually - Public and Private Key

# Switch Directory
cd ssh-keys

# Generate SSH Keys
ssh-keygen -t rsa -f ssh-keys-instance-level -C sshinstanceleveluser1

# File Names
SSH Private Key: ssh-keys-instance-level
SSH Public Key: ssh-keys-instance-level.pub

# Restrict access to your private key so that only you can read it and nobody can write to it
chmod 400 ssh-keys-instance-level

# Copy content from ssh-keys-instance-level.pub
cat ssh-keys-instance-level.pub
Enter fullscreen mode Exit fullscreen mode

Step-02: Upload Custom SSH Public Key and Username to VM Instance

  • Go to Compute Engine -> VM Instances -> vm1 -> Edit
  • SSH Keys

Block Project-wide SSH Keys: Check the box (Enable it)
Click on Add Item

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjveFK/CHYMMnUtlNk6f5sDNXfQlaz6TgJwcZWFHm5EGAjoUqkq5c3JknFINnF0W3Ad33+GNZheBl9FRDtxkUC+QjSQcVEEcMd4Z6F0wGD/V/oj7WSNHbSzMlUWKSeUF0225EsaZjM8Bx2YQdWxmqr0RTFXviSsqRfc4SYB82ELD75BQF4eq6IoAvC8/q40+5tFR+ytRaPRk5gnhm/3ae4/Jl0X2SmoVqvvhHRVgsop31danjYLlG5Gup7gyx+wu0ADW5U0FWZB7UJY/GB6DywBEgHH8oer96Ow4iPh3yZ9AhnIIi/Kum5TcXE6EYHDfvzJILeXhVFt4Wvnc7TO36pSMFTxF1+/oKge6hoSqconcDoNZb87smqTUcuTkMqlP7xBejeViUXzrmhi/QAWFbqnVDQn+cH77/lM8ZN5DUjxk0GhKNBdk5WJuXzFmZngrLNcVHcAeGlcr6k+gSUkmNQXtuyCYyYeUmhE0ceTPNS4F/MgU5LaNcMATTYW+YBqsU= sshinstanceleveluser1
Enter fullscreen mode Exit fullscreen mode
  • Click on SAVE

Step-03: Connect using your Local Desktop Terminal

# Connect from MacOS / Windows10 CMD line
cd ssh-keys
ssh -i ssh-keys-instance-level sshinstanceleveluser1@104.198.236.153
Enter fullscreen mode Exit fullscreen mode

Step-04: Connect using Project Level SSH Keys - Custom

  • Observation: As we have enabled the option Block Project-wide SSH Keys at VM Instance level, we have got access denied for project level SSH keys
# Connect from MacOS / Windows10 CMD line - Project Level Custom SSH Key from previous demo
cd 04-02-SSHKeys-Project-Level-Metadata/ssh-keys
ssh -i ssh-keys-custom sshcustomuser1@104.198.236.153

# Sample Output
latchu:ssh-keys-custom kalyanreddy$ ssh -i ssh-keys-custom sshcustomuser1@104.198.236.153
sshcustomuser1@104.198.236.153: Permission denied (publickey).
latchu:ssh-keys-custom devops$ 
Enter fullscreen mode Exit fullscreen mode

Step-05: Clean-Up

  • Delete Project level metadata
  • Delete Project level SSH keys
  • Delete Instance level metadata related to SSH keys

Option-4: OS Login managed

a5

Set the below Key value pair in Compute Engine Metadata

  • Key: enable-oslogin
  • Value: TRUE

We can access the VM instance using

  • SSH Button using browser
  • Using gcloud ssh command

Step-01: Enable OS Login at Project Level

  • Go to Compute Engine -> Metadata -> Edit
  • Click on Add item
  • Add the following

key: enable-oslogin
value: TRUE

  • Click on SAVE

Step-02: Connect to VM Instance using SSH

  • Go to Compute Engine -> VM Instances -> vm1 -> SSH -> Open in new browser window
  • Primary Difference - Username Format: username_domain_com: Complete email address of user including domain

Step-03: Connect to VM Instance using Cloud Shell gcloud ssh command

Go to Compute Engine -> VM Instances -> vm1 -> SSH -> View gcloud command

# Connect to VM using gcloud in Cloud Shell
gcloud compute ssh --zone "us-central1-a" "vm1" --project "gcpdemos"
Enter fullscreen mode Exit fullscreen mode

Option-5: Customized Keys - OS Login managed

  • Generate SSH public and private key using ssh-keygen
  • Add public SSH key to the google cloud account
  • Using the private SSH key on our desktop we can Login (ssh) to linux VM using third-party tools like putty, ssh command etc

Step-01: Enable OS Login at Project Level

  • Go to Compute Engine -> Metadata -> Edit
  • Click on Add item
  • Add the following

key: enable-oslogin
value: TRUE

  • Click on SAVE

Step-02: Generate SSH Keys using Cloud Shell

# Connect to Cloushell
Go to -> Cloud Shell

# Set Project
gcloud config set project [PROJECT_ID]

# Switch Directory
mkdir ssh-oslogin
cd ssh-oslogin

# Generate SSH Keys
ssh-keygen -t rsa -f ssh-keys-oslogin -C latchudevops

# File Names
SSH Private Key: ssh-keys-oslogin
SSH Public Key: ssh-keys-oslogin.pub

# Restrict access to your private key so that only you can read it and nobody can write to it
chmod 400 ssh-keys-oslogin
Enter fullscreen mode Exit fullscreen mode

Step-04: Add Custom SSH Public Key to OS-Login user profile

# List SSH Keys (Before Adding)
gcloud compute os-login ssh-keys list

# Use the gcloud command-line tool to associate public SSH keys with an account.
gcloud compute os-login ssh-keys add \
    --key-file=KEY_FILE_PATH \
    --ttl=EXPIRE_TIME

gcloud compute os-login ssh-keys add \
    --key-file=ssh-keys-oslogin.pub \
    --ttl=0

# List SSH Keys (After adding)
gcloud compute os-login ssh-keys list

# Describe Profile (to find username)
gcloud compute os-login describe-profile 

gcloud compute os-login ssh-keys remove --key='40bf2d3870aa88105d46fc206821367da5521431ef381b8e73a046696ab080e5'

gcloud compute os-login ssh-keys remove --key='50fc14a59c5eb23331b92e86ad463bcfdd70bddab60cbbf3e7cafbedeaedc5c8'
Enter fullscreen mode Exit fullscreen mode

Step-04: Verify the connectivity to VM

# Get Public IP of VM
Go to Compute Enginer -> VM Instances -> vm -> Copy Public IP

# Login using SSH Command on MacOS or Windows10 CMD
ssh -i ssh-keys-oslogin latchudevops@104.198.236.153
Enter fullscreen mode Exit fullscreen mode

Step-05: Instance Level OS-Login enablement

  • Go to Compute Engine -> VM Instances -> vm1 -> Edit
  • Under Custom metadata add a metadata entry, setting the key to enable-oslogin value to TRUE

key: enable-oslogin
value: TRUE

  • Click on SAVE

GCE Linux VMs - SSH Authentication using OS Login

Why do we need to use OS Login method over Metadata managed for providing access to our Linux VMs ?

a6

  • OS Login allows SSH access without manually managing SSH Keys
  • OS Login is HIGHLY RECOMMENDED option for managing access to Linux VM Instances if we need to deal with huge number of users across multiple instances and google projects.
  • OS Login supports 2-step verification (Google Authenticator, Text Message, Phone call verification, Phone prompts and Security Key OTP)
  • OS Login provides the ability to import existing Linux user accounts from on-premise AD or LDAP
  • OS Login can be used in combination with super advanced use cases like IAM Organization (Manage users, groups and centrally control all of your organizationโ€™s projects and resources)

Can we separate user and admin access to Linux VMs using OS Login ?

  • Yes. We can do that based on roles associated to the user.

What roles user need to have for using OS Login SSH Authentication ?

a7

For Normal User:

  • roles/compute.osLogin

or Admin User:

  • roles/compute.osAdminLogin

Top comments (0)