Restrict SSH keys from VMs


This document describes how to prevent users from accessing virtual machine (VM) instances by removing and blocking SSH keys from VMs.

Before you begin

Remove SSH keys

You can remove SSH keys from VMs that use OS Login and VMs that use metadata-based SSH keys.

Remove SSH keys from VMs that use OS Login

VMs that use OS Login accept SSH keys that are associated with your Google account. You can remove a public SSH key from your user account using the gcloud command-line tool or the OS Login API. If you're an administrator for your organization, you can remove SSH keys from user accounts using the Directory API. Compute Engine automatically removes expired keys from your Google Account.

gcloud

To remove a public SSH key from your account, do the following:

  1. If you don't know which key you want to remove, run the gcloud compute os-login describe-profile command to view all keys associated with your account:

    gcloud compute os-login describe-profile
    
  2. Copy the fingerprint value of the key you want to delete.

  3. Remove the key from your account using the gcloud compute os-login ssh-keys remove command:

    gcloud compute os-login ssh-keys remove --key=KEY
    

    Replace KEY with the public SSH key you want to remove, or the OS Login fingerprint for the key you want to remove.

OS Login API

To remove a public SSH key from your account, do the following:

  1. If you don't know which key you want to remove, use the users.getLoginProfile method to view all keys associated with your account:

    GET https://oslogin.googleapis.com/v1/users/ACCOUNT_EMAIL/loginProfile
    

    Replace ACCOUNT_EMAIL with the email address associated with your account.

  2. Copy the fingerprint value of the key you want to delete.

  3. Remove the key from your account using the users.sshPublicKeys.delete method:

    DELETE https://oslogin.googleapis.com/v1/users/ACCOUNT_EMAIL/sshPublicKeys/FINGERPRINT
    

    Replace the following:

    • ACCOUNT_EMAIL: the email address associated with your account
    • FINGERPRINT: the SHA-256 fingerprint of the key to remove

Remove SSH keys from VMs that use metadata-based keys

You can remove a public SSH key from project or instance metadata using the Google Cloud Console, the gcloud tool, or the Compute Engine API.

After you remove the last key from metadata for a particular user, or the last key in metadata for a particular user expires, Compute Engine deletes the user's ~/.ssh/authorized_keys file on the VM.

Remove a public key from project metadata

Remove a public SSH key from project metadata to remove access to all VMs in a project.

When you remove a key from metadata using the gcloud tool and the Compute Engine API, you must retrieve the list of existing keys, edit the list of keys to remove the unwanted keys, and overwrite the old keys with the list of keys you want to keep, as explained in the following section.

Console

To remove a public SSH key from project metadata using the Cloud Console, do the following:

  1. In the Cloud Console, go to the Metadata page.

    Go to Metadata

  2. Under SSH Keys, click Edit.

  3. Click the removal button next to the SSH key.

    PuTTYgen public key.

  4. Click Save.

gcloud

To remove a public SSH key from project metadata using the gcloud tool, do the following:

  1. Run gcloud compute project-info describe command to get the metadata for the project:

    gcloud compute project-info describe
    

    The output is similar to the following:

    ...
    metadata:
      ...
      - key: ssh-keys
        value: |-
          cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF
          baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}
    ...
    
  2. Copy the ssh-keys metadata value.

  3. Create and open a new text file on your workstation.

  4. In the file, paste the list of SSH keys that you just copied, then delete any keys you want to remove from project metadata.

  5. Save and close the file.

  6. Run the gcloud compute project-info add-metadata command to set the project-wide ssh-keys value:

    gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=KEY_FILE
    

    Replace KEY_FILE with one of the following:

    • the path to the file you created in the previous step, if the project had existing SSH keys
    • the path to your new public SSH key file, if the project didn't have existing SSH keys

API

To remove a public SSH key from project metadata using the Compute Engine API, do the following:

  1. Use the projects.get method to get the fingerprint and ssh-keys values from metadata.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID
    

    Replace PROJECT_ID with your project ID.

    The response is similar to the following:

    ...
    "fingerprint": "utgYE_XWtE8=",
    "items": [
     {
      "key": "ssh-keys",
      "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"
     }
    ]
    ...
    
  2. Copy the list of SSH key values and delete the keys you want to remove.

  3. Use the projects.setCommonInstanceMetadata to remove the SSH keys.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/setCommonInstanceMetadata
    
    {
    "items": [
     {
      "key": "ssh-keys",
      "value": "EXISTING_SSH_KEYS"
     }
    ]
    "fingerprint": "FINGERPRINT"
    }
    

    Replace the following:

    • PROJECT_ID: your project ID
    • EXISTING_SSH_KEYS: the list of the SSH keys you want to keep
    • FINGERPRINT: the value of the fingerprint from the response of the projects.get request

Remove a public SSH key from instance metadata

Remove a public SSH key from instance metadata to remove access to a single VM.

When you remove a key from metadata using the gcloud tool and the Compute Engine API, you must retrieve the list of existing keys, edit the list of keys to remove the unwanted keys, and overwrite the old keys with the list of keys you want to keep, as explained in the following section.

Console

To remove a public SSH key from instance metadata using the Cloud Console, do the following:

  1. In the Cloud Console, go to the Metadata page.

    Go to Metadata

  2. Click the name of the VM that you want to remove a key for.

  3. Click Edit.

  4. In the center pane, under SSH Keys, click Show and edit. The section expands to show all of the instance-level public SSH keys.

  5. Click the removal button next to the key you want to remove:

    PuTTYgen public key.

  6. Click Save.

gcloud

To remove a public SSH key from instance metadata using the gcloud tool, do the following:

  1. Run gcloud compute instances describe command to get the metadata for the VM:

    gcloud compute instances describe VM_NAME
    

    Replace VM_NAME with the name of the VM for which you need to add or remove public SSH keys.

    The output is similar to the following:

    ...
    metadata:
    ...
    - key: ssh-keys
     value: |-
       cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF
       baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}
    ...
    
  2. Copy the ssh-keys metadata value.

  3. Create and open a new text file on your local workstation.

  4. In the file, paste the list of SSH keys that you just copied, then remove any keys you want to delete.

  5. Save and close the file.

  6. Run the gcloud compute project-info add-metadata command to set the project-wide ssh-keys value:

    gcloud compute instances add-metadata VM_NAME --metadata-from-file ssh-keys=KEY_FILE
    

    Replace the following:

    • VM_NAME: the VM you want to remove the SSH key for
    • KEY_FILE: the path to the file that contains the list of all project SSH keys

API

To remove a public SSH key from instance metadata using the Compute Engine API, do the following:

  1. Use the instances.get method to get the fingerprint and ssh-keys values from metadata.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
    

    Replace the following:

    • PROJECT_ID: your project ID
    • ZONE: the zone of the VM you're adding an SSH key for
    • VM_NAME: the VM you're adding an SSH key for

    The response is similar to the following:

    ...
    "fingerprint": "utgYE_XWtE8=",
    "items": [
    {
     "key": "ssh-keys",
     "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"
    }
    ]
    ...
    
  2. Copy the list of SSH key values and delete the keys you want to remove.

  3. Use the instances.setMetadata to remove the SSH keys.

    
    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata
    
    {
    "items": [
     {
      "key": "ssh-keys",
      "value": "EXISTING_SSH_KEYS
     }
    ]
    "fingerprint": "FINGERPRINT"
    }
    

    Replace the following:

    • PROJECT_ID: your project ID
    • EXISTING_SSH_KEYS: the value of the ssh-keys key from the response of the projects.get request
    • FINGERPRINT: the value of the fingerprint from the response of the instances.get request

Block SSH keys from VMs that use metadata-based SSH keys

You can prevent VMs from accepting SSH keys that are stored in project metadata by blocking project SSH keys from VMs.

Console

To block VMs from accepting connections from SSH keys stored in project metadata using the Cloud Console, do the following:

  1. In the Cloud Console, go to the Metadata page.

    Go to Metadata

  2. Click the name of the VM that you want to block project SSH keys for.

  3. Click Edit.

  4. Under SSH Keys, select the Block project-wide SSH keys checkbox.

  5. When you have finished editing the connection setting for SSH keys, click Save.

gcloud

To block VMs from accepting connections from SSH keys stored in project metadata using the gcloud tool, do the following:

Run the gcloud compute instances add-metadata command:

gcloud compute instances add-metadata VM_NAME --metadata block-project-ssh-keys=TRUE

Replace VM_NAME the name of the VM for which you want to block project-wide public SSH keys.

API

To block VMs from accepting connections from SSH keys stored in project metadata using the Compute Engine API, do the following:

  1. Use the instances.get method to get the fingerprint from metadata.

    GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
    

    Replace the following:

    • PROJECT_ID: your project ID
    • ZONE: the zone of the VM you're adding an SSH key for
    • VM_NAME: the VM you're adding an SSH key for

    The response is similar to the following:

    ...
    "fingerprint": "utgYE_XWtE8="
    ...
    
  2. Use the instances.setMetadata method to set block-project-ssh-keys to TRUE:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata
    
    {
    "items": [
     {
      "key": "block-project-ssh-keys",
      "value": TRUE
     }
    ]
    "fingerprint": "FINGERPRINT"
    }
    

    Replace the following:

    • PROJECT_ID is your project ID
    • ZONE is the zone where your instance is located
    • INSTANCE_NAME is the instance where you want to block project-wide keys.
    • FINGERPRINT: the value of the fingerprint from the response of the instances.get request.

What's next?