Setting up OS Login

OS Login lets you use Compute Engine IAM roles to manage SSH access to Linux instances and is an alternative to manually managing instance access by adding and removing SSH keys in metadata.

This topic covers the basic steps for setting up OS Login. When you set up OS Login, you can add a layer of security by using two-factor authentication. For more information, see Setting up OS Login with two-factor authentication.

To configure OS Login and connect to your instances, use the following process:

  1. Enable the OS Login feature on your project or on individual instances.
  2. Grant the necessary IAM roles to yourself, your project members, or your organization members.
  3. Optionally, complete any of the following steps:
  4. Connect to instances.
  5. Review the expected login behaviors.

Before you begin

Limitations

  • OS Login is not currently supported in Google Kubernetes Engine (GKE). GKE cluster nodes continue to use metadata SSH keys when OS Login is enabled.

  • Windows Server and SQL Server image families do not yet support OS Login.

Enabling or disabling OS Login

Before you can manage instance access using IAM roles, you must enable the OS Login feature by setting a metadata key-value pair in your project or in your instance's metadata: enable-oslogin=TRUE. To disable OS Login, set the metadata value to FALSE. For example, you might enable the feature across your entire project using enable-oslogin=TRUE at the project level, but set enable-oslogin=FALSE on specific instances that can't use it yet.

You can apply the enable-oslogin metadata value on your projects or instances by using one of the following options:

Console

Set enable-oslogin in project-wide metadata so that it applies to all of the instances in your project:

  1. In the Google Cloud Console, go to the Metadata page.

    Go to the Metadata page

  2. Click Edit.
  3. Add a metadata entry where the key is enable-oslogin and the value is TRUE. Alternatively, set the value to FALSE to disable the feature.
  4. Click Save to apply the changes.

For VMs that are not running CoreOS, this change is applied instantaneously; you do not need to restart your instance. For CoreOS distributions, reboot or restart the instance for the change to take effect. To restart, perform a stop and then start operation on your instances.

Set enable-oslogin in the metadata of an existing instance:

  1. In the Google Cloud Console, go to the VM instances page.

    Go to the VM instances page

  2. Click the name of the instance on which you want to set the metadata value.
  3. At the top of the instance details page, click Edit to edit the instance settings.
  4. Under Custom metadata, add a metadata entry where the key is enable-oslogin and the value is TRUE. Alternatively, set the value to FALSE to exclude the instance from the feature.
  5. At the bottom of the instance details page, click Save to apply your changes to the instance.

For all operating systems except CoreOS, this change is applied instantaneously; you do not need to restart your instance. For CoreOS distributions, reboot or restart the instance for the change to take effect. To restart, perform a stop and then start operation on your instances.

Set enable-oslogin in instance metadata when you create an instance:

  1. In the Cloud Console, go to the VM Instances page.

    Go to the VM Instances page

  2. Click Create instance.
  3. On the Create a new instance page, fill in the properties for your instance.
  4. In the Metadata section, add a metadata entry where the key is enable-oslogin and the value is TRUE. Alternatively, set the value to FALSE to exclude the instance from the feature.
  5. Click Create to create the instance.

gcloud

Set enable-oslogin in project-wide metadata so that it applies to all of the instances in your project:

Use the project-info add-metadata command in the gcloud command-line tool and set oslogin=TRUE to enable OS Login:

gcloud compute project-info add-metadata
    --metadata enable-oslogin=TRUE

Alternatively, you can set enable-oslogin to FALSE to disable OS Login.

For VMs that are not running CoreOS, this change is applied instantaneously; you do not need to restart your instance. For CoreOS distributions, reboot or restart the instance for the change to take effect.

Set enable-oslogin in metadata of an existing instance:

Use the instances add-metadata command in the gcloud command-line tool and set oslogin=TRUE to enable OS Login. Replace instance-name with the name of your instance.

gcloud compute instances add-metadata instance-name
    --metadata enable-oslogin=TRUE

Alternatively, you can set enable-oslogin to FALSE to exclude your instance from using OS Login.

For all operating systems except CoreOS, this change is applied instantaneously; you do not need to restart your instance. For CoreOS distributions, reboot or restart the instance for the change to take effect.

Set enable-oslogin in instance metadata when you create an instance:

Use the instances create command in the gcloud command-line tool and set oslogin=TRUE to enable OS Login. Replace instance-name with the name of your instance.

gcloud compute instances create instance-name
    --metadata enable-oslogin=TRUE

Alternatively, you can set enable-oslogin to FALSE to exclude your instance from using OS Login.

In addition to the required metadata values, your instance must have the latest version of the guest environment installed. If you have instances that run custom images that you imported, install the guest environment on those instances to enable OS Login.

After you enable OS Login on the instances in your project, grant users permission to connect to those instances.

Configuring OS Login roles on user accounts

Granting OS Login IAM roles

After you enable OS Login on one or more instances in your project, those instances accept connections only from user accounts that have the necessary IAM roles in your project or organization:

For example, you might grant instance access to users with the following process:

  1. Grant the necessary instance access roles to the user. Users must have the following roles:

  2. If you are an organization admin who wants to allow members outside of your organization to access your instances, grant roles/compute.osLoginExternalUser to that user at the organization level.

Users cannot view details about your instances or the external IP addresses for those instances unless you provide those details directly to them. To allow users to view the details of your instances, they require additional IAM roles. For example, the roles/compute.viewer role allows users to view all of the resources in your project, including instance details.

Granting SSH access to a service account

You can use OS Login roles to allow service accounts to establish SSH connections to your instances. This is useful for the following tasks:

You can grant SSH access to your service accounts by using the following process:

  1. Create a service account.
  2. Grant the necessary OS Login roles to your service account. Service accounts require the same roles as user accounts. To learn how to configure roles and permissions for service accounts, see Granting roles to service accounts.
  3. Provide Application Default Credentials to your service account so that it can authorize requests to the necessary APIs. Provide Application Default Credentials using one of the following options:

After you grant SSH access to your service accounts, you can configure your apps to create SSH keys and establish SSH connections to other instances on your VPC networks. Read the Connecting applications to instances using SSH tutorial to see an example app for service account SSH.

Revoking OS Login IAM roles

To revoke user access to instances that are enabled to use OS Login, remove the user roles from that user account. For information about removing an IAM role for a user, see Granting, changing, and revoking access to resources.

When a user's access is revoked, the user will still have public SSH keys associated with their account, but those keys no longer function on the VM instances.

Connect to instances

After you configure the necessary roles, connect to an instance using Compute Engine tools. Compute Engine automatically generates SSH keys and associates them with your user account.

Alternatively, if you create your own SSH keys and add the public keys to your user account, you can connect to instances using third-party tools. The instance obtains your public key from your user account and lets you connect to the instance if you provide the correct user name and matching private SSH key.

After you connect to your instance, review the expected login behaviors.

Expected login behaviors

  • On some instances using OS Login, you might receive the following error message after the connection is established:

    /usr/bin/id: cannot find name for group ID 123456789

    Ignore this error message. This error does not affect your instances.

  • If a username is not set by a G Suite administrator, OS Login generates a default Linux username by combining the username and domain from the email associated with the user's Google profile. This naming convention ensures uniqueness. For example, if the user email associated with the Google profile is user@example.com, then their generated username is user_example_com.

    This generated username is based on domains associated with a G Suite account. If a user is from a separate G Suite organization, the generated username is prefixed with 'ext_'. For example, if user@example.com is accessing a VM in a different organization, then their generated username is ext_user_example_com.

  • When you log in to an instance by using the gcloud compute ssh command, the following message displays:

    Using OS Login user [user_example_com] instead of default user [user]

    This message confirms that you are logging in with your OS Login profile.

Adding SSH keys to a user account

You can associate public SSH keys with the following user account types:

You can use the gcloud command-line tool, or the OS Login API to add SSH keys to your own account. Alternatively, if you are a domain admin for an organization, you can use the Directory API, to add SSH keys to the user account in your organization.

gcloud

The gcloud compute os-login commands are available only on Cloud SDK version 184 and later.

Use the gcloud command-line tool to associate public SSH keys with an account.

gcloud compute os-login ssh-keys add \
    --key-file key-file-path \
    --ttl expire-time

Replace the following:

  • key-file-path: The path to the public SSH key on your local workstation. Ensure that the public SSH key is properly formatted. If you use PuTTYgen on Linux systems to generate your public keys, you must use the public-openssh format.
  • expire-time: An optional flag to set an expiration time for the public SSH key. For example, you can specify 30m and the SSH key will expire after 30 minutes. This flag uses the following units:
    • s for seconds
    • m for minutes
    • h for hours
    • d for days Set the value to 0 to indicate no expiration time.

OS Login API

Use the OS Login API to associate public SSH keys with an account:

POST https://oslogin.googleapis.com/v1/users/account-email:importSshPublicKey

{
 "key": "ssh-key",
 "expirationTimeUsec": "expiration-timestamp"
}

Replace the following:

  • account-email: The email address that represents your managed user account.
  • ssh-key: The public key that you want to apply to the account. Ensure that the public SSH key is properly formatted. If you use PuTTYgen on Linux systems to generate your public keys, you must use the public-openssh format.
  • expiration-timestamp: The expiration time for the key, in microseconds since epoch.

Directory API

If you are a domain admin for an organization, you can use the Directory API reference to add SSH keys to the account of another user in your organization. For example, create a PUT request to the directory.users.update method with one or more SSH sshPublicKeys entries:

PUT https://www.googleapis.com/admin/directory/v1/users/user-id-key

{
 "sshPublicKeys": [
  {
   "key": "ssh-key",
   "expirationTimeUsec": "expiration-timestamp"
  },
  {
   "key": "ssh-key",
   "expirationTimeUsec": "expiration-timestamp"
  }
 ]
}

Replace the following:

  • user-id-key: An immutable ID for the user.
  • ssh-key: A public key that you want to apply to the account. Ensure that the public SSH key is properly formatted. If you use PuTTYgen on Linux systems to generate your public keys, you must use the public-openssh format.
  • expiration-timestamp: The expiration time for a key, in microseconds since epoch.

To remove all keys from an account, specify "sshPublicKeys": null as the body, replacing user-id-key with an immutable ID for the user:

PUT https://www.googleapis.com/admin/directory/v1/users/user-id-key

{
  "sshPublicKeys": null
}

After you add your keys to your account, you can connect to instances using third-party tools and the username associated with your account. Your organization admin can change this username. You can find the username for your account by running the gcloud compute os-login describe-profile command:

gcloud compute os-login describe-profile

name: account-email
posixAccounts:
⋮
  username: user-name

Replace the following:

  • account-email: The email address that represents your managed user account.
  • user-name: The username for establishing SSH connections. By default, this is generated from your account-email.

What's next

هل كانت هذه الصفحة مفيدة؟ يرجى تقييم أدائنا:

إرسال تعليقات حول...

Compute Engine Documentation