Choosing an access method

If you have Linux VM instances running on Google Cloud, you might need to share or restrict user or app access to your instances.

Managing user access

OS Login

In most scenarios, we recommend using OS Login. The OS Login feature lets you use Compute Engine IAM roles to manage SSH access to Linux instances. You can add an extra layer of security by setting up OS Login with two-factor authentication, and manage access at the organization level by setting up organization policies.

Manage SSH keys in metadata

If you are running your own directory service for managing access, or are otherwise unable to set up OS Login, you can manually manage SSH keys in metadata.

Risks of manual key management

If you create and manage public SSH keys yourself through the Cloud Console, the gcloud command-line tool, or the API, you must keep track of the used keys and delete the public SSH keys for users who no longer have access. For example, if a team member leaves your project, remove their public SSH keys from metadata, so they can't continue to access your instances.

Additionally, specifying your gcloud tool or API calls incorrectly can potentially wipe out all of the public SSH keys in your project or on your instances, which disrupts connections for your project members.

If you aren't sure that you want to manage your own keys, use Compute Engine tools to connect to your instances instead.

What's next?