Manage OS Login in an organization

Linux

If you use OS Login to manage access to your instances, you can set configurations at the organization level for your Cloud Identity account. For example, you can control who can directly use the OS Login API, enable OS Login for all virtual machine (VM) instances in an organization, and grant access to external users.

This topic covers the following tasks:

Enable OS Login for an organization using an organization policy: Use an organization policy to ensure that all new VM instances in your organization have OS Login enabled.
Grant instance access to users outside of your organization: Allow user accounts outside of your organization to use SSH to connect to your instances.
Manage the OS Login API: Allow or deny users access to use the OS Login API. Also enable or disable features of the OS Login API.
Audit OS Login events: Track OS Login-related events and activities such as adding, deleting, or updating an SSH key, or deleting POSIX information.
Modify user accounts using the Directory API: Update user properties, such as username and POSIX account information, by using the Directory API.
Use Linux groups with OS Login: Manage user permissions within VMs by using Linux groups with OS Login.

Before you begin

If you want to use the command-line examples in this guide, do the following:
1. Install or update to the latest version of the Google Cloud CLI.
2. Set a default region and zone.
If you want to use the API examples in this guide, set up API access.

OS Login organization policy

You can set up an OS Login constraint in your organization to ensure that all new projects, and the VM instances created in these new projects, have OS Login enabled.

When this constraint is set up, the following conditions are applied:

enable-oslogin=true is included in the project metadata for all new projects.
Requests that set enable-oslogin to false in instance or project metadata are rejected, for new and existing VMs and projects.

Limitations

OS Login is not supported in the following products, features, and VMs:

Cloud Data Fusion versions 6.1.4 and earlier
Cloud Composer
Google Kubernetes Engine (GKE) public clusters that run versions earlier than 1.23.5
GKE private clusters that run node pool versions earlier than 1.20.5
Dataproc Serverless
Windows Server and SQL Server VMs
Fedora CoreOS VMs. To manage instance access to VMs created using these images, use the Fedora CoreOS ignition system

Workarounds for Cloud Data Fusion, Cloud Composer, and GKE

To use OS Login in organizations that use Cloud Data Fusion, Cloud Composer, and GKE, you can enable OS Login constraint at the organization level and then selectively disable the constraint on projects or folders for the affected projects.

For more information about editing organization policies, see creating and editing policies.

Enable the organization policy

Permissions required for this task

To perform this task, you must have the following permissions:

resourcemanager.organizationAdmin role. For more information see, Access control for organizations using IAM.
To learn more about managing policies at the organization level, see Add an organization policy administrator.

To enable the OS Login policy, you can set the OS Login constraint on specific projects and folders by using the Google Cloud CLI. You can also set the OS Login constraint on the entire organization by using either the Google Cloud console or the Google Cloud CLI.

Console

To set the OS Login organization policy from the console, complete the following steps:

In the Google Cloud console, go to the Organization policies page.
Go to the Organization policies page
In the policies list, click Require OS Login to view the OS Login constraints.
Click Edit to edit your existing OS Login constraints.
On the Edit page, select Customize.
To enable enforcement of this constraint, select On.
Click Save to apply the constraint settings.

gcloud

To set the OS Login organization policy, use the gcloud beta resource-manager org-policies enable-enforce command.

Find your organization ID.
```
gcloud organizations list
```

Set the constraint in your organization. Replace organization-id with your your organization ID.

gcloud beta resource-manager org-policies enable-enforce compute.requireOsLogin \
    --organization=organization-id

You can also apply the OS Login organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

For folders, run the following command:

gcloud beta resource-manager org-policies enable-enforce compute.requireOsLogin \
    --folder=folder-id

For projects, run the following command:

gcloud beta resource-manager org-policies enable-enforce compute.requireOsLogin \
    --project=project-id

Replace the following:

folder-id: your folder ID.
project-id: your project ID.

Grant instance access to users outside of your organization

By default, users outside of your organization can't set SSH keys for instances in your organization or be granted access to instances in your organization. In some situations, you might need to grant instance access to users who are part of a different organization or who have a consumer Google gmail.com account.

The roles/compute.osLoginExternalUser IAM role lets external Google Accounts interact with the other OS Login roles by allowing them to configure POSIX account information. The roles/compute.osLoginExternalUser IAM role doesn't grant access to VMs.

To grant roles/compute.osLoginExternalUser and other necessary OS Login instance access roles to users outside of your organization, complete the following steps:

In the Google Cloud console, go to the project and organization selection page.
Go to the project and organization selection page
In the Organization drop-down menu, select your organization.
1. Click All, to view all of your organizations.
2. Click the name of the organization.
Click Add to add a new role to a user.
Specify the user name for the user for whom you want to configure instance access.
Click Select a role to specify which roles you want to grant to the users.
In the Compute Engine roles list, select the Compute OS Login External User role.
Click Add to confirm that you want to grant the selected role to the user.
If you have not already done so, grant the other OS Login instance access roles to the user at the project or organization level.

The user can now connect to instances in your project that have OS Login enabled.

Manage the OS Login API

At an organization level, you can restrict access to the OS Login API by setting Google Workspace admin controls. To configure Google Workspace admin controls or view configuration options, see Control who uses Google Cloud in your organization. As a Google Workspace admin, you can also turn on or off certain features of the OS Login API. This includes the following options:

Choose whether to include the domain suffix in usernames generated by OS Login API. For example, in the domain example.com, the user user@example.com will have the username user if the setting to include domain suffix is not checked.
Decide if members of your organization can manage SSH keys using the OS Login API.
Restrict or permit VM access to users outside of your organization.

For more information about turning on or off OS Login API settings, see Choose settings for Google Cloud Platform.

Audit OS Login events

As a Google Workspace Admin, you can use the Google Workspace Admin SDK to audit actions performed with the OS Login API. By reviewing these events, you can track when a user adds, deletes, or updates an SSH key, or deletes POSIX account information.

You can retrieve OS Login API audit activity events, from the Google Workspace Admin SDK, by calling Activities.list() with applicationName=gcp. For more information, see Google Cloud activity events in the Google Workspace Admin SDK Reports API documentation.

Modify user accounts using the Directory API

OS Login uses either your Cloud Identity or Google Workspace user settings when connecting to an instance. If you are an organization admin, you can use the Directory API to complete the following tasks for your Google Workspace or Cloud Identity user accounts:

Modify instance login settings.
Make a user an administrator
Modify user properties such as account name and email
Add and remove SSH keys for a user
Modify POSIX account information
Change the username that the users connect to on the instance.

The following examples show how to modify or remove user accounts using the Directory API. For more information about the account properties that you can edit, see the Directory API reference.

Modify account properties

To modify a user's POSIX account information or manage the user's SSH keys, issue a PUT request to the directory.users.update method and specify one or more properties to change on the user account.

If you modify a user's posixAccounts properties, you must specify the current or new username, uid, and gid values in the request.

If you modify the user's sshPublicKeys properties, you must specify the key value in the request.

The following is an example of a PUT request:

PUT https://admin.googleapis.com/admin/directory/v1/users/USER_KEY

{
 "posixAccounts": [
  {
    "username": "USERNAME",
    "uid": "UID",
    "gid": "GID",
    "homeDirectory": "USER_HOME_PATH",
    "shell": "SHELL_PATH"
   }
  ],
 "sshPublicKeys": [
  {
    "key": "KEY_VALUE",
    "expirationTimeUsec": EXPIRATION_TIME
   }
  ],
}

Replace the following:

USER_KEY: the user's primary email address, alias email address, or unique user ID.
USERNAME: the username that Compute Engine adds to the VM for the user. This value must be unique within your organization and must not end in a tilde ("~") or contain a period (".").
UID: the user ID on the VM for this user. This property must be a value between 1001 and 60000, or a value between 65535 and 2147483647. To access a container-optimized OS, the UID must have a value between 65536 and 214748646. The UID must be unique within your organization.
GID: the group ID on the VM that the user belongs to.
USER_HOME_PATH: (Optional) the home directory on the VM for the user. For example, /home/example_username.
SHELL_PATH: (Optional) the path to the default shell for the user after they connect to the instance. For example, /bin/bash or /bin/sh.
KEY_VALUE: the public SSH key value.
EXPIRATION_TIME: (Optional) the key's expiration time in microseconds since epoch (1 second = 10⁶ microseconds).

Remove account properties

To clear the posixAccounts and sshPublicKeys data for a user, issue a PUT request to the directory.users.update method, setting the posixAccounts and sshPublicKeys fields to null:

PUT https://admin.googleapis.com/admin/directory/v1/users/USER_KEY

{
 "posixAccounts": null,
 "sshPublicKeys": null
}

Replace USER_KEY with the user's primary email address, alias email address, or unique user ID.

Use Linux groups with OS Login

Organization admins can use the Cloud Identity Groups API to configure supplementary Linux groups for OS Login users by creating and managing POSIX groups. OS Login links POSIX groups with supplementary Linux groups in your organization's VMs so that you can manage the permissions users have in your VMs.

Manage user membership in Linux groups

To create a POSIX group, see Creating and updating POSIX groups.

To add users to a group, see Add or invite users to a group.

Membership updates take effect within 10 minutes. Group changes are reflected in all newly created VMs. POSIX group updates may take up to six hours to propagate to all running VMs. Users may have to log out or use the newgrp command to observe group changes.

Rate limits for Linux groups with OS Login

Linux groups with OS Login use oslogin.googleapis.com/metadata_server_groups_requests quota. By default, the quota limit is 60 requests/minute, per project for a particular region.

If you need a higher rate limit, you can request additional quota from the Quotas page in the Google Cloud console.

Go to Quotas

What's next

Learn how to set up OS Login.
Learn how to set up OS Login with 2-step verification.
Read an overview of the OS Login feature.
Troubleshoot OS Login.