Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Se você tiver instâncias de máquina virtual (VM) do Linux em execução no Google Cloud, talvez seja necessário compartilhar ou restringir o acesso de usuários ou aplicativos às suas VMs.
Os métodos a seguir podem ser usados para gerenciar o acesso de usuários às instâncias de VM do Linux:
Se você estiver executando seu próprio serviço de diretório para gerenciar o acesso ou não puder configurar o login do SO, poderá gerenciar manualmente as chaves SSH nos metadados.
Riscos do gerenciamento manual de chaves
Alguns dos riscos do gerenciamento manual de chaves SSH incluem:
Todos os usuários que se conectam a VMs usando chaves SSH armazenadas em metadados têm acesso sudo às VMs.
É preciso controlar as chaves expiradas e excluir as chaves de usuários que não devem
ter acesso às suas VMs. Por exemplo, se um membro da equipe deixar o projeto,
você precisará remover manualmente as chaves dos metadados para que ele não possa continuar
a acessar suas VMs.
Além disso, especificar incorretamente a CLI gcloud ou as chamadas de API pode limpar todas as chaves SSH públicas do projeto ou das instâncias, o que interrompe as conexões dos membros do projeto.
Os usuários e as contas de serviço com capacidade de modificar os metadados do projeto podem adicionar chaves SSH a todas as VMs no projeto, exceto às que bloqueiam chaves SSH para envolvidos no projeto.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Cloud offers several methods to manage user access to Linux VM instances, including OS Login and managing SSH keys in metadata.\u003c/p\u003e\n"],["\u003cp\u003eOS Login is the recommended method for managing user access to Linux VMs, enabling the use of Compute Engine IAM roles and offering enhanced security features like two-factor authentication.\u003c/p\u003e\n"],["\u003cp\u003eManually managing SSH keys in metadata carries risks, such as granting all users with those keys \u003ccode\u003esudo\u003c/code\u003e access and requiring manual tracking of expired or unauthorized keys.\u003c/p\u003e\n"],["\u003cp\u003eApplication access to VM instances can be managed through the use of SSH with service accounts, complementing user access controls.\u003c/p\u003e\n"],["\u003cp\u003eCompute Engine tools can be utilized to manage connections to instances, providing an alternative to manual key management.\u003c/p\u003e\n"]]],[],null,["*** ** * ** ***\n\nIf you have Linux virtual machine (VM) instances running on Google Cloud, you\nmight need to share or restrict user or application access to your VMs.\n\n- If you need to manage user access to your Linux VM instances, you can use one\n of the following methods:\n\n - [OS Login](#oslogin)\n - [Managing SSH keys in metadata](#ssh-access)\n - [Temporarily grant a user access to an instance](/compute/docs/access/managing-access-to-resources#bind-member)\n- If you need to manage application access to your VM instances, see\n [Use SSH with service accounts](/compute/docs/tutorials/service-account-ssh).\n\n| **Note:** When a user connects to a VM, that user can use all of the IAM permissions granted to the service account attached to the VM.\n\nManaging user access\n\nOS Login\n\nIn most scenarios, we recommend using [OS Login](/compute/docs/oslogin). The OS\nLogin feature lets you use Compute Engine IAM roles to manage\nSSH access to Linux instances. You can add an extra layer of security by\n[setting up OS Login with two-factor authentication](/compute/docs/oslogin/setup-two-factor-authentication),\nand manage access at the organization level by\n[setting up organization policies](/compute/docs/oslogin/manage-oslogin-in-an-org#set-org-policy).\n\nTo learn how to enable OS Login, see\n[Set up OS Login](/compute/docs/instances/managing-instance-access).\n\nManage SSH keys in metadata\n\nIf you are running your own directory service for managing access, or are\notherwise unable to set up OS Login, you can manually manage SSH keys in\nmetadata.\n| **Note:** If you connect to Linux VMs using the Google Cloud console or the Google Cloud CLI, Compute Engine creates SSH keys on your behalf. For more information on how Compute Engine configures and stores keys, see [About SSH connections to Linux VMs](/compute/docs/instances/ssh).\n\nRisks of manual key management\n\nSome of the risks of manual SSH key management include the following:\n\n- All users who connect to VMs using SSH keys stored in metadata have `sudo` access to VMs.\n- You must keep track of expired keys and delete keys for users who shouldn't have access to your VMs. For example, if a team member leaves your project, you must manually remove their keys from metadata, so they can't continue to access your VMs.\n- Specifying your gcloud CLI or API calls incorrectly can potentially wipe out all of the public SSH keys in your project or on your VMs, which disrupts connections for your project members.\n- Users and service accounts that have the ability to modify project metadata can add SSH keys for all VMs in the project except for VMs that [block project-level SSH keys](/compute/docs/connect/restrict-ssh-keys#block-keys).\n\nIf you aren't sure that you want to manage your own keys,\n[use Compute Engine tools to connect to your instances](/compute/docs/instances/connecting-to-instance)\ninstead.\n\nWhat's next?\n\n- Learn how to [set up OS Login](/compute/docs/instances/managing-instance-access).\n- Learn how to [create SSH keys](/compute/docs/connect/create-ssh-keys).\n- Learn how to [add SSH keys to VMs](/compute/docs/connect/add-ssh-keys).\n- Learn how to [restrict SSH keys from VMs](/compute/docs/connect/restrict-ssh-keys)."]]
