The guide describes when you should manage your own SSH keys for your Linux
instances, and which metadata values to use when you
add or remove SSH keys
yourself through the
gcloud tool or the API.
If you only need to connect to your Linux instances and do not need to manage your own keys manually, see Connecting to Linux Instances. If you need to connect to a Windows instance, see Connecting to Windows instances.
Compute Engine manages SSH keys for you. You can
connect to an instance from your browser
connect to your instances through the
However, in some situations you might want to generate your own key-pairs and
apply them to your projects and instances yourself.
Risks of manual key management
If you add and manage SSH keys yourself through the
gcloud tool or the API,
you must keep track of the used keys and delete the invalid keys. Valid public
keys must not give access to someone who no longer needs it. For
example, if a team member leaves your project, remove their SSH keys so they
cannot continue to access your instances.
Additionally, specifying your
gcloud tool or API calls incorrectly can
potentially wipe out all of the public SSH keys in your project or on your
instances, which disrupts connections for your project members.
The keys that you apply through the
gcloud tool and the API are formatted
differently than if you apply keys through the console. If you need to manage
your keys in the Cloud Platform Console rather than through the
tool or the API, see
Connecting to Linux Instances.
If you are not sure that you want to manage your own keys, use Compute Engine tools to connect to your instances instead.
SSH Key Metadata Values
Use specific metadata values to apply public SSH keys to your instances.
- Project-level keys
sshKeys- A project-level value that applies one or more public SSH keys to all of the instances in your project, but does not apply to instances that are configured to block project-wide keys.
- Instance-level keys
ssh-keys- An instance-level value that applies one or more public SSH keys to a specific instance. This value functions only if your instance uses a newer Compute Engine image.
block-project-ssh-keys- An instance-level value that blocks the instance from using any project-wide SSH keys.
Some images do not support the
metadata values. These metadata values function only on images that were
created after the following dates:
|CentOS 6 and 7||February 10th, 2016|
|Debian 8||February 10th, 2016|
|openSUSE 13||February 10th, 2016|
|RHEL 6 and 7||February 10th, 2016|
|SUSE 11 and 12||March 1st, 2016|
|Ubuntu 16.04 LTS and 14.04 LTS||March 3rd, 2016|
|Ubuntu 12.04 LTS||March 29th, 2016|
Root SSH login to Compute Engine instances
By default, public images and most common
operating systems do not allow root login over SSH. As a best practice, the
/etc/ssh/sshd_config SSH configuration file has the
parameter set to
Because of this parameter, you cannot connect to instances as the root user
even if you specify an SSH key for
root in your project or instance metadata.
If a user requires root permissions, they can get those permissions by running