When working with Google Compute Engine (GCE), secure authentication is essential for accessing and managing your Virtual Machines (VMs). Depending on whether youโre running a Windows VM or a Linux VM, the authentication method differs.
๐ฆ Windows VMs โ Username and Password
For Windows virtual machines:
- Authentication is done using username and password.
- You can either:
Generate credentials using the Google Cloud Console.
Or set/reset Windows passwords via gcloud CLI.
- Once credentials are ready, you can connect using RDP (Remote Desktop Protocol).
๐ Suitable for administrators who manage Windows workloads with a familiar RDP login experience.
๐ฉ Linux VMs โ Key-based SSH Authentication
For Linux virtual machines:
- Authentication is done via SSH keys.
- You can:
Generate an SSH key pair (ssh-keygen) and upload the public key to the VMโs metadata.
Or let GCP automatically manage SSH keys for you when you connect from the Console or gcloud compute ssh.
- This provides strong cryptographic authentication without relying on passwords.
๐ This is the default and recommended method for Linux workloads in Google Cloud.
GCE Linux VMs - SSH Authentication Options
Option-1: Google Cloud Console โ SSH Button
- SSH to VM Instance using Web-based or browser-based
- Compute Engine generates Ephemeral SSH keys to SSH to VM
- Your private SSH key is stored in your browser session
- Google doesnโt have access to your private key
Option-2: gcloud cli
- Compute Engine creates a username and persistent SSH key pair
- We can reuse the same SSH key pair for future interactions using gcloud cli
Step-01: Introduction
- Metadata-managed SSH Connections
Automatically Configured at Project Level: Temporarily grant a user access to an instance (so far we are using this one)
Manually Managing SSH Keys in Metadata: Generate SSH keys and upload to Project Medatada
Instance-Level Public SSH Keys
- OS Login-managed SSH connections (Google Recommended)
- In this section, we are going to focus on Automatically Configured at Project Level at Project level
Step-02: Create a VM Instance
# Set Project
gcloud config set project PROJECT_ID
gcloud config set project gcpdemos
# Create VM Instance
gcloud compute instances create vm1 \
--zone=us-central1-a \
--machine-type=e2-micro \
--network-interface=subnet=default \
--tags=http-server \
--metadata-from-file=startup-script=webserver-install.sh
Step-03: Connect to VM instance using Open in New browser window
- Go to Compute Engine -> Virtual Machines -> VM Instances -> VM1 -> SSH -> Open in new browser window
- Review Compute Engine -> Settings -> Metadata -> SSH Keys
- What happens during this process ?
- By default, Google Compute Engine uses custom project and/or instance metadata to configure SSH keys
- If we use OS Login, metadata SSH Keys are disabled.
- As of now we are using this option so far, lets understand this in detail.
- Go to Compute Engine -> Settings -> Metadata -> SSH Keys
- Observation-1: We can use Username and Public Key with expiration dates.
- Observation-2: Username will be the user we have logged to Google Cloud Console trimming the @domain.com part of our username (Example: devops.samira@gmail.com, Username field will have devops.samira)
- Your public and private SSH keys are stored in your browser session.
- Your SSH key has an expiry of five minutes. Five minutes after Compute Engine creates the key, you can't use the SSH key to connect to the VM anymore.
- Compute Engine uploads the public SSH key and username to metadata.
- Compute Engine retrieves the SSH key and username from metadata, creates a user account with the username and public key, and stores the public key in your user's ~/.ssh/authorized_keys file on the VM.
- Compute Engine grants your connection
Step-03: Create new Username for automatic Metadata-Managed SSH Connection approach
- Go to Compute Engine -> VM Instances -> vm1 -> SSH -> Open in Browser Window
Go to newly opened SSH Browser Window -> Settings -> Change Linux Username -> kalyanreddy -> Click on Change
Observation:
New SSH keys will be generated in browser session for user demouser1
We will relogin with new user demouser1
- Review Compute Engine -> Settings -> Metadata -> SSH Keys
Step-04: SSH Connect to Linux VM using gcloud in Cloud Shell
- Go to Compute Engine -> Virtual Machines -> VM Instances -> vm1 -> SSH -> View gcloud command
# Set GCP Project
gcloud config set project <PROJECT-ID>
gcloud config set project gcpdemos
# Connect to VM using gcloud in Cloud Shell
gcloud compute ssh --zone "us-central1-a" "vm2" --project "gcpdemos"
Option-3: Customized Keys - Metadata managed
- Generate SSH public and private key using ssh-keygen
- Upload public SSH key to project-level metadata or instance-level ssh keys
- Using the private SSH key on our desktop we can ssh to linux VM using third-party tools like putty, ssh command etc
SSH Keys - Project Level Meta data
Step-01: Create SSH Keys Manually - Public and Private Key
# Switch Directory
cd ssh-keys
# Generate SSH Keys
ssh-keygen -t rsa -f ssh-keys-custom -C sshcustomuser1
# File Names
SSH Private Key: ssh-keys-custom
SSH Public Key: ssh-keys-custom.pub
# Restrict access to your private key so that only you can read it and nobody can write to it
chmod 400 ssh-keys-custom
# Copy content from ssh-keys-custom.pub
cat ssh-keys-custom.pub
Step-02: Upload Custom SSH Public Key and Username to GCP Project Metadata
- Go to Compute Engine -> Metadata -> SSH Keys -> Edit
- Click on Add Item
- Copy content of file ssh-keys-custom.pub to text box, automatically username will be populated, and click on Save
- Refresh browser to see sshcustomuser1 public key present in Metadata.
Step-03: Connect using your Local Desktop Terminal
# Connect from MacOS / Windows10 CMD line
cd ssh-keys
ssh -i ssh-keys-custom <USER-FROM-SSH-KEYS>@<VM-Public-IP>
ssh -i ssh-keys-custom sshcustomuser1@104.198.236.153
SSH Keys - Instance Level Metadata
Step-01: Create SSH Keys Manually - Public and Private Key
# Switch Directory
cd ssh-keys
# Generate SSH Keys
ssh-keygen -t rsa -f ssh-keys-instance-level -C sshinstanceleveluser1
# File Names
SSH Private Key: ssh-keys-instance-level
SSH Public Key: ssh-keys-instance-level.pub
# Restrict access to your private key so that only you can read it and nobody can write to it
chmod 400 ssh-keys-instance-level
# Copy content from ssh-keys-instance-level.pub
cat ssh-keys-instance-level.pub
Step-02: Upload Custom SSH Public Key and Username to VM Instance
- Go to Compute Engine -> VM Instances -> vm1 -> Edit
- SSH Keys
Block Project-wide SSH Keys: Check the box (Enable it)
Click on Add Item
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCjveFK/CHYMMnUtlNk6f5sDNXfQlaz6TgJwcZWFHm5EGAjoUqkq5c3JknFINnF0W3Ad33+GNZheBl9FRDtxkUC+QjSQcVEEcMd4Z6F0wGD/V/oj7WSNHbSzMlUWKSeUF0225EsaZjM8Bx2YQdWxmqr0RTFXviSsqRfc4SYB82ELD75BQF4eq6IoAvC8/q40+5tFR+ytRaPRk5gnhm/3ae4/Jl0X2SmoVqvvhHRVgsop31danjYLlG5Gup7gyx+wu0ADW5U0FWZB7UJY/GB6DywBEgHH8oer96Ow4iPh3yZ9AhnIIi/Kum5TcXE6EYHDfvzJILeXhVFt4Wvnc7TO36pSMFTxF1+/oKge6hoSqconcDoNZb87smqTUcuTkMqlP7xBejeViUXzrmhi/QAWFbqnVDQn+cH77/lM8ZN5DUjxk0GhKNBdk5WJuXzFmZngrLNcVHcAeGlcr6k+gSUkmNQXtuyCYyYeUmhE0ceTPNS4F/MgU5LaNcMATTYW+YBqsU= sshinstanceleveluser1
- Click on SAVE
Step-03: Connect using your Local Desktop Terminal
# Connect from MacOS / Windows10 CMD line
cd ssh-keys
ssh -i ssh-keys-instance-level sshinstanceleveluser1@104.198.236.153
Step-04: Connect using Project Level SSH Keys - Custom
- Observation: As we have enabled the option Block Project-wide SSH Keys at VM Instance level, we have got access denied for project level SSH keys
# Connect from MacOS / Windows10 CMD line - Project Level Custom SSH Key from previous demo
cd 04-02-SSHKeys-Project-Level-Metadata/ssh-keys
ssh -i ssh-keys-custom sshcustomuser1@104.198.236.153
# Sample Output
latchu:ssh-keys-custom kalyanreddy$ ssh -i ssh-keys-custom sshcustomuser1@104.198.236.153
sshcustomuser1@104.198.236.153: Permission denied (publickey).
latchu:ssh-keys-custom devops$
Step-05: Clean-Up
- Delete Project level metadata
- Delete Project level SSH keys
- Delete Instance level metadata related to SSH keys
Option-4: OS Login managed
Set the below Key value pair in Compute Engine Metadata
- Key: enable-oslogin
- Value: TRUE
We can access the VM instance using
- SSH Button using browser
- Using gcloud ssh command
Step-01: Enable OS Login at Project Level
- Go to Compute Engine -> Metadata -> Edit
- Click on Add item
- Add the following
key: enable-oslogin
value: TRUE
- Click on SAVE
Step-02: Connect to VM Instance using SSH
- Go to Compute Engine -> VM Instances -> vm1 -> SSH -> Open in new browser window
- Primary Difference - Username Format: username_domain_com: Complete email address of user including domain
Step-03: Connect to VM Instance using Cloud Shell gcloud ssh command
Go to Compute Engine -> VM Instances -> vm1 -> SSH -> View gcloud command
# Connect to VM using gcloud in Cloud Shell
gcloud compute ssh --zone "us-central1-a" "vm1" --project "gcpdemos"
Option-5: Customized Keys - OS Login managed
- Generate SSH public and private key using ssh-keygen
- Add public SSH key to the google cloud account
- Using the private SSH key on our desktop we can Login (ssh) to linux VM using third-party tools like putty, ssh command etc
Step-01: Enable OS Login at Project Level
- Go to Compute Engine -> Metadata -> Edit
- Click on Add item
- Add the following
key: enable-oslogin
value: TRUE
- Click on SAVE
Step-02: Generate SSH Keys using Cloud Shell
# Connect to Cloushell
Go to -> Cloud Shell
# Set Project
gcloud config set project [PROJECT_ID]
# Switch Directory
mkdir ssh-oslogin
cd ssh-oslogin
# Generate SSH Keys
ssh-keygen -t rsa -f ssh-keys-oslogin -C latchudevops
# File Names
SSH Private Key: ssh-keys-oslogin
SSH Public Key: ssh-keys-oslogin.pub
# Restrict access to your private key so that only you can read it and nobody can write to it
chmod 400 ssh-keys-oslogin
Step-04: Add Custom SSH Public Key to OS-Login user profile
# List SSH Keys (Before Adding)
gcloud compute os-login ssh-keys list
# Use the gcloud command-line tool to associate public SSH keys with an account.
gcloud compute os-login ssh-keys add \
--key-file=KEY_FILE_PATH \
--ttl=EXPIRE_TIME
gcloud compute os-login ssh-keys add \
--key-file=ssh-keys-oslogin.pub \
--ttl=0
# List SSH Keys (After adding)
gcloud compute os-login ssh-keys list
# Describe Profile (to find username)
gcloud compute os-login describe-profile
gcloud compute os-login ssh-keys remove --key='40bf2d3870aa88105d46fc206821367da5521431ef381b8e73a046696ab080e5'
gcloud compute os-login ssh-keys remove --key='50fc14a59c5eb23331b92e86ad463bcfdd70bddab60cbbf3e7cafbedeaedc5c8'
Step-04: Verify the connectivity to VM
# Get Public IP of VM
Go to Compute Enginer -> VM Instances -> vm -> Copy Public IP
# Login using SSH Command on MacOS or Windows10 CMD
ssh -i ssh-keys-oslogin latchudevops@104.198.236.153
Step-05: Instance Level OS-Login enablement
- Go to Compute Engine -> VM Instances -> vm1 -> Edit
- Under Custom metadata add a metadata entry, setting the key to enable-oslogin value to TRUE
key: enable-oslogin
value: TRUE
- Click on SAVE
GCE Linux VMs - SSH Authentication using OS Login
Why do we need to use OS Login method over Metadata managed for providing access to our Linux VMs ?
- OS Login allows SSH access without manually managing SSH Keys
- OS Login is HIGHLY RECOMMENDED option for managing access to Linux VM Instances if we need to deal with huge number of users across multiple instances and google projects.
- OS Login supports 2-step verification (Google Authenticator, Text Message, Phone call verification, Phone prompts and Security Key OTP)
- OS Login provides the ability to import existing Linux user accounts from on-premise AD or LDAP
- OS Login can be used in combination with super advanced use cases like IAM Organization (Manage users, groups and centrally control all of your organizationโs projects and resources)
Can we separate user and admin access to Linux VMs using OS Login ?
- Yes. We can do that based on roles associated to the user.
What roles user need to have for using OS Login SSH Authentication ?
For Normal User:
- roles/compute.osLogin
or Admin User:
- roles/compute.osAdminLogin
Top comments (0)