If you are running your own directory service for managing access, or are
otherwise unable to set up OS Login, you can manually manage SSH keys in
metadata.
Risks of manual key management
Some of the risks of manual SSH key management include the following:
All users who connect to VMs using SSH keys stored in metadata have sudo
access to VMs.
You must keep track of expired keys and delete keys for users who shouldn't
have access to your VMs. For example, if a team member leaves your project,
you must manually remove their keys from metadata, so they can't continue to
access your VMs.
Specifying your gcloud CLI or API calls incorrectly can potentially
wipe out all of the public SSH keys in your project or on your VMs, which
disrupts connections for your project members.
Users and service accounts that have the ability to modify project metadata
can add SSH keys for all VMs in the project except for VMs that
block project-level SSH keys.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eGoogle Cloud offers several methods to manage user access to Linux VM instances, including OS Login and managing SSH keys in metadata.\u003c/p\u003e\n"],["\u003cp\u003eOS Login is the recommended method for managing user access to Linux VMs, enabling the use of Compute Engine IAM roles and offering enhanced security features like two-factor authentication.\u003c/p\u003e\n"],["\u003cp\u003eManually managing SSH keys in metadata carries risks, such as granting all users with those keys \u003ccode\u003esudo\u003c/code\u003e access and requiring manual tracking of expired or unauthorized keys.\u003c/p\u003e\n"],["\u003cp\u003eApplication access to VM instances can be managed through the use of SSH with service accounts, complementing user access controls.\u003c/p\u003e\n"],["\u003cp\u003eCompute Engine tools can be utilized to manage connections to instances, providing an alternative to manual key management.\u003c/p\u003e\n"]]],[],null,[]]
