This document describes how to add SSH keys to virtual machine (VM) instances that use OS Login and VMs that use metadata-based SSH keys. If you or your organization administrator hasn't enabled OS Login, your VMs use metadata-based SSH keys.
Before you begin
- For information about managing access to your Compute Engine VMs, see Choosing an access method.
- If you haven't already, create an SSH key pair.
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
Terraform
To use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up authentication for a local development environment.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
-
Add keys to VMs that use OS Login
VMs that use OS Login accept SSH keys that are associated with your Google Account. You can associate a public SSH key with your Google Account using the gcloud CLI or using the OS Login API. If you're an administrator for your organization, you can add SSH keys to user accounts using the Directory API.
When you add SSH keys to your Google Account, Compute Engine generates a
username for you by combining the username and domain from the email associated
with your Google Account. For example, if your email address is
cloudysanfrancisco@gmail.com
, your username is cloudysanfrancisco_gmail_com
.
If you add an SSH key in a project that is outside of your organization, your
username is prefixed with ext_
, for example,
ext_cloudysanfrancisco_gmail_com
. Your organization administrator can
customize your username using the
Directory API. If
you already have a username configured, Compute Engine uses that
username when you add SSH keys.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To add a public SSH key to your account, use the
gcloud compute os-login ssh-keys add
command:gcloud compute os-login ssh-keys add \ --key-file=KEY_FILE_PATH \ --project=PROJECT \ --ttl=EXPIRE_TIME
Replace the following:
KEY_FILE_PATH
: the path to the public SSH key on your workstation. The key must use thepublic-openssh
formatPROJECT
: Optional: a project where you intend to use your SSH key. Specify this field to use your SSH key in a project outside of your organization, or you are not a member of a Cloud Identity organizationEXPIRE_TIME
: Optional: the expiration time for the SSH keyFor example, if you specify
30m
the SSH key expires after 30 minutes.This flag uses the following units:
s
for secondsm
for minutesh
for hoursd
for days
Terraform
To add a public SSH key to your account, use the google_client_openid_userinfo
resource along with the google_os_login_ssh_public_key
resource.
REST
To add a public SSH key to your account, use the OS Login API
users.importSshPublicKey
method:
POST https://oslogin.googleapis.com/v1/users/ACCOUNT_EMAIL:importSshPublicKey { "key": "SSH_KEY", "expirationTimeUsec": "EXPIRATION_TIMESTAMP" }
Replace the following:
ACCOUNT_EMAIL
: the email address associated with your accountSSH_KEY
: the public key that you want to add to the accountEXPIRATION_TIMESTAMP
: the expiration time for the key, in microseconds since epoch (1 second = 106 microseconds)
Add SSH keys to VMs that use metadata-based SSH keys
VMs that don't use OS Login store SSH keys in Compute Engine project and instance metadata. If OS Login is enabled for a VM, then the VM's guest agent ignores the keys stored in metadata.
You can use SSH keys stored in project metadata to access all VMs in a project. You can use SSH keys stored in instance metadata to access individual VMs.
Compute Engine doesn't automatically remove expired SSH keys from metadata at expiration time, but expired keys can't be used to establish new connections to VMs. If you want to remove expired keys from metadata, see Remove SSH keys from VMs that use metadata-based keys.
You can add a public SSH key to project or VM instance metadata using the Google Cloud console, the gcloud CLI, or REST.
Add SSH keys to project metadata
You can add a public SSH key to project metadata to access all VMs in a project, except VMs that block project-wide SSH keys. For more information about blocking project-wide SSH keys, see Block SSH keys from VMs that use metadata-based SSH keys.
Console
To add a public SSH key to project metadata using the Google Cloud console, do the following:
In the Google Cloud console, go to the Metadata page.
Click the SSH keys tab.
Click Edit.
Click Add item.
In the SSH key field that opens, add your public SSH key. The key must be in one of the following formats:
- Format for a key without an expiration time:
KEY_VALUE USERNAME
- Format for a key with an expiration time:
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connect to Linux VMs as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
- Format for a key without an expiration time:
Click Save.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
If there are existing SSH keys in project metadata, you must re-add them to project metadata every time you add a new SSH key using the gcloud CLI. If you don't re-add your existing keys, adding a new key erases the existing keys.
To add a public SSH key to project metadata using the gcloud CLI, do the following:
If your project already has project-wide public SSH keys, get them from metadata and add them to a new file:
Run the
gcloud compute project-info describe
command to get the SSH keys for the project:gcloud compute project-info describe \ --format="value(commonInstanceMetadata[items][ssh-keys])"
The output is similar to the following:
username:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... username:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...
Copy the
ssh-keys
metadata value.Create and open a new text file on your workstation.
In the file, paste the list of keys that you just copied.
Add your new key at the end of the list, in one of the following formats:
- Format for a key without an expiration time:
USERNAME:KEY_VALUE
- Format for a key with an expiration time:
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
, orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
- Format for a key without an expiration time:
Save and close the file.
Run the
gcloud compute project-info add-metadata
command to set the project-widessh-keys
value:gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=KEY_FILE
Replace
KEY_FILE
with one of the following:- The path to the file you created in the previous step, if the project had existing SSH keys
- The path to your new public SSH key file, if the project didn't have existing SSH keys
Terraform
To add a public SSH key to your project metadata, use the google_compute_project_metadata
resource.
REST
If there are existing SSH keys in project metadata, you must re-add them to project metadata every time you add a new SSH key using the the Compute Engine API. If you don't re-add your existing keys, adding a new key erases the existing keys.
To add a public SSH key to project metadata using the Compute Engine API, do the following:
Get the
fingerprint
andssh-keys
values from metadata by using theprojects.get
methodGET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID
Replace
PROJECT_ID
with your project ID.The response is similar to the following:
... "fingerprint": "utgYE_XWtE8=", "items": [ { "key": "ssh-keys", "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF...\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}" } ] ...
Add the new
ssh-keys
value by using theprojects.setCommonInstanceMetadata
method.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/setCommonInstanceMetadata { "items": [ { "key": "ssh-keys", "value": "EXISTING_SSH_KEYS\nNEW_SSH_KEY" } ] "fingerprint": "FINGERPRINT" }
Replace the following:
PROJECT_ID
: your project IDEXISTING_SSH_KEYS
: the value of thessh-keys
key from the response of theprojects.get
requestFINGERPRINT
: the value of thefingerprint
from the response of theprojects.get
requestNEW_SSH_KEY
: the new SSH key, in one of the following formats:- Format for a key without an expiration time:
USERNAME:KEY_VALUE
- Format for a key with an expiration time:
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
, orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
- Format for a key without an expiration time:
Add SSH keys to instance metadata
You can add a public SSH key to instance metadata when you create a VM or after you create a VM.
Add SSH keys to instance metadata during VM creation
You can add SSH keys to instance metadata during VM creation, using the Google Cloud console, gcloud CLI, or Compute Engine API.
Console
To create a VM and add a public SSH key to instance metadata at the same time using the Google Cloud console, do the following:
In the Google Cloud console, go to the Create an instance page.
Specify the VM details.
Expand the Advanced options section, and do the following:
Expand the Security section.
Select Add manually generated SSH keys.
Click Add item.
Add your public key in the text box. The key must be in one of the following formats:
- Format for a key without an expiration time:
KEY_VALUE USERNAME
- Format for a key with an expiration time:
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connect to Linux VMs as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
- Format for a key without an expiration time:
To create and start the VM, click Create.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To create a VM and add a public SSH key to instance metadata at the same time using the gcloud CLI, use the
gcloud compute instances create
command:gcloud compute instances create VM_NAME \ --metadata=ssh-keys=PUBLIC_KEY
Replace the following:
VM_NAME
: the name of the new VMPUBLIC_KEY
: your public SSH key, in one of the following formats:- Format for a key without an expiration time:
USERNAME:KEY_VALUE
- Format for a key with an expiration time:
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
, orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
- Format for a key without an expiration time:
You can add multiple SSH keys by using the
--metadata-from-file=ssh-keys=FILE_PATH
flag. In the file, add a list of usernames and public SSH keys in one of the preceding formats.
Terraform
To add a public SSH key to your instance metadata, use the google_compute_instance
resource.
REST
To create a VM and add a public SSH key to instance metadata at the same
time using the Compute Engine, construct a POST
request to the
instances.insert
method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
Replace the following:
PROJECT_ID
: the project IDZONE
: the zone of the VM
In the body of the request, provide usernames and public SSH keys in the
items
property:
... { "items": [ { "key": "ssh-keys", "value": "PUBLIC_KEY" } ] } ...
Replace PUBLIC_KEY
with your public key, in one
of the following formats:
- Format for a key without an expiration time:
USERNAME:KEY_VALUE
- Format for a key with an expiration time:
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
, orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
You can add multiple SSH keys by adding \n
between keys.
Add SSH keys to instance metadata after VM creation
You can add SSH keys to instance metadata after VM creation, using the Google Cloud console, gcloud CLI, or Compute Engine API.
Console
To add a public SSH key to instance metadata using the Google Cloud console, do the following:
In the Google Cloud console, go to the VM instances page.
Click the name of the VM that you want to add an SSH key for.
Click Edit.
Under SSH Keys, click Add item.
Add your public key into the text box. The key must be in one of the following formats:
- Format for a key without an expiration time:
KEY_VALUE USERNAME
- Format for a key with an expiration time:
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connect to Linux VMs as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
- Format for a key without an expiration time:
Click Save.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
If there are existing SSH keys in instance metadata, you must re-add them to instance metadata every time you add a new SSH key using the gcloud CLI. If you don't re-add your existing keys, adding a new key erases the existing keys.
To add a public SSH key to instance metadata using the gcloud CLI, do the following:
If your VM already has instance-level public SSH keys, get them from metadata and add them to a new file:
Run the
gcloud compute instances describe
command to get the metadata for the VM:gcloud compute instances describe VM_NAME
Replace VM_NAME with the name of the VM for which you need to add or remove public SSH keys.
The output is similar to the following:
... metadata: ...
- key: ssh-keys
value: |- cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF... baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"} ...Copy the
ssh-keys
metadata value.Create and open a new text file on your workstation.
In the file, paste the list of keys that you just copied.
Add your new key at the end of the list, in one of the following formats:
- Format for a key without an expiration time:
USERNAME:KEY_VALUE
- Format for a key with an expiration time:
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
, orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
- Save and close the file.
Run the
gcloud compute instances add-metadata
command to set thessh-keys
value:gcloud compute instances add-metadata VM_NAME --metadata-from-file ssh-keys=KEY_FILE
Replace the following:
VM_NAME
: the VM you want to add the SSH key forKEY_FILE
with one of the following:- The path to the file you created in the previous step, if the VM had existing SSH keys
- The path to your new public SSH key file, if the VM didn't have existing SSH keys
REST
If there are existing SSH keys in instance metadata, you must re-add them to instance metadata every time you add a new SSH key using the Compute Engine API. If you don't re-add your existing keys, adding a new key erases the existing keys.
To add a public SSH key to instance metadata using the Compute Engine API, do the following:
Get the
fingerprint
andssh-keys
values from metadata by using theinstances.get
method.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
Replace the following:
PROJECT_ID
: your project IDZONE
: the zone of the VM to add an SSH keyVM_NAME
: the VM you're adding an SSH key for
The response is similar to the following:
... "fingerprint": "utgYE_XWtE8=", "items": [ { "key": "ssh-keys", "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF...\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}" } ] ...
Add the new
ssh-keys
value by using theinstances.setMetadata
method.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata { "items": [ { "key": "ssh-keys", "value": "EXISTING_SSH_KEYS\nNEW_SSH_KEY" } ] "fingerprint": "FINGERPRINT" }
Replace the following:
PROJECT_ID
: your project IDEXISTING_SSH_KEYS
: the value of thessh-keys
key from the response of theinstances.get
requestFINGERPRINT
: thefingerprint
from the response of theprojects.get
requestNEW_SSH_KEY
: the new SSH key, in one of the following formats:- Format for a key without an expiration time:
USERNAME:KEY_VALUE
- Format for a key with an expiration time:
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
Replace the following:
KEY_VALUE
: the public SSH key valueUSERNAME
: your username. For example,cloudysanfrancisco
, orcloudysanfrancisco_gmail_com
.For Linux VMs, the
USERNAME
can't beroot
, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of
DOMAIN\
. For example, the usercloudysanfrancisco
within thead.example.com
AD has aUSERNAME
ofexample\cloudysanfrancisco
.EXPIRE_TIME
: the time the key expires, in ISO 8601 format. For example:2021-12-04T20:12:00+0000
- Format for a key without an expiration time:
What's next?
- Learn how to connect to VMs.
- Learn how to manage access to VMs.
- Learn how to transfer files to VMs.
- Learn how SSH connections to Linux VMs work on Compute Engine.