SSH from the browser

Using the SSH from the browser window lets you use SSH to connect to a Compute Engine virtual machine (VM) instance from within the Google Cloud Console. You do not need to install web browser extensions or additional software to use this feature. SSH from the browser is an alternative to other methods of connecting to an instance.

Connecting to a Linux VM instance

Compute Engine manages your SSH keys for you whenever you connect to a Linux instance from your browser, creating and applying SSH key pairs when needed. You cannot manage the SSH keys that are used to connect from the browser. Instead, user access to connect from the browser is controlled by Identity and Access Management roles. The principals that have access to a project can be viewed from the IAM page in the Google Cloud Console:

Go to the IAM page

To connect through the browser, you must have the Compute Instance Admin role or an equivalent custom role. If your instance can run as a service account, you must also have the Service Account User role. If you do not have access to connect through the browser, ask a project owner to grant you access.

After you have been granted access, connect to a Linux instance directly from your web browser in the Cloud Console:

  1. In the Cloud Console, go to the VM instances page.

    Go to VM instances

  2. In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to.

    SSH button next to instance name.

Alternatively, you can open an SSH connection to an instance by clicking its name and clicking SSH from the instance details page.

You can now use the terminal to run commands on your Linux instance. When you have finished, disconnect from the instance by using the exit command.

If an instance is configured to allow TCP tunneling through Identity-Aware Proxy, you can connect to the instance using SSH from the browser. This is especially useful for instances without an external IP address. To enable it, see Identity-Aware Proxy TCP forwarding. Note: IAP is the default route for instances configured with TCP tunneling and an external IP address.

Supported environments

SSH from the browser supports the following:

  • Web browsers
    • Latest version of Google Chrome
    • Firefox
    • Microsoft Edge
    • Microsoft Internet Explorer 11 and later
    • Safari 8 and later. Note that Safari in private browser mode is not supported.
  • Virtual machine configurations
    • All Linux VM images that are natively available in Google Cloud.

Known issues

  • Slow SSH key transfer times. By default, SSH in the browser pushes a new SSH key to project metadata on every new connection. This can be slow on projects with large amounts of VMs. To speed up key transfer, consider blocking project-wide SSH keys or enabling OS Login.

  • Startup latency. Current connection time using SSH from the browser is 5 to 30 seconds. Current versions of the guest environment support quicker connections.

  • New VM instances aren't immediately available. New instances take some time to boot up before SSH can be established. If you can't connect to a new instance, retry after a few minutes.

  • Intermittent disconnects. At this time, we don't offer a specific SLA for connection lifetimes. Use terminal multiplexers like tmux or screen if you plan to keep the terminal window open for an extended period of time.

  • Connecting to instances that don't have an external IP address. If your Compute Engine instance only has an internal IP address, use one of the following options to connect:

    • SSH from the browser with configured Identity-Aware Proxy TCP forwarding.

    • SSH from the browser with bastion host. To use this option, both the target and bastion instances must be in the same VPC network or in VPC networks that are connected.

      To connect using SSH from the browser with a bastion host, complete the following steps:

      1. Use SSH from the browser to connect to the bastion instance that has an external IP address. This step generates a temporary SSH key pair and uploads the public key to the project or instance m