SSH from the browser

Using the SSH from the browser window lets you use SSH to connect to a Compute Engine virtual machine (VM) instance from within the Google Cloud Console. You do not need to install web browser extensions or additional software to use this feature. SSH from the browser is an alternative to other methods of connecting to an instance.

Connecting to a Linux VM instance

Compute Engine manages your SSH keys for you whenever you connect to a Linux instance from your browser, creating and applying SSH key pairs when needed. You cannot manage the SSH keys that are used to connect from the browser. Instead, user access to connect from the browser is controlled by Identity and Access Management roles. The members and IAM roles for a project can be viewed from the IAM page in the Google Cloud Console:

Go to the IAM page

To connect through the browser, you must be a project member who is a compute instance admin. If your instance can run as a service account, you must also be a service account user. If you do not have access to connect through the browser, ask a project owner to add you to the project and grant you access.

After you have been granted access, connect to a Linux instance directly from your web browser in the Cloud Console:

  1. In the Cloud Console, go to the VM instances page.

    Go to the VM instances page

  2. In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to.

    SSH button next to instance name.

Alternatively, you can open an SSH connection to an instance by clicking its name and clicking SSH from the instance details page.

You can now use the terminal to run commands on your Linux instance. When you have finished, disconnect from the instance by using the exit command.

If an instance is configured to allow TCP tunneling through Identity-Aware Proxy, you can connect to the instance using SSH from the browser. This is especially useful for instances without an external IP address. To enable it, see Identity-Aware Proxy TCP forwarding. Note: IAP is the default route for instances configured with TCP tunneling and an external IP address.

Supported environments

SSH from the browser supports the following:

  • Web browsers
    • Latest version of Google Chrome
    • Firefox
    • Microsoft Edge
    • Microsoft Internet Explorer 11 and later
    • Safari 8 and later. Note that Safari in private browser mode is not supported.
  • Virtual machine configurations
    • All Linux VM images that are natively available in Google Cloud.

Known issues

  • Slow SSH key transfer times. By default, SSH in the browser pushes a new SSH key to project metadata on every new connection. This can be slow on projects with large amounts of VMs. To speed up key transfer, consider blocking project-wide SSH keys or enabling OS Login.

  • Startup latency. Current connection time using SSH from the browser is 5 to 30 seconds. Current versions of the guest environment support quicker connections.

  • New VM instances aren't immediately available. New instances take some time to boot up before SSH can be established. If you can't connect to a new instance, retry after a few minutes.

  • Intermittent disconnects. At this time, we don't offer a specific SLA for connection lifetimes. Use terminal multiplexers like tmux or screen if you plan to keep the terminal window open for an extended period of time.

  • Connecting to instances that don't have an external IP address. If your Compute Engine instance only has an internal IP address, use one of the following options to connect:

    • SSH from the browser with configured Identity-Aware Proxy TCP forwarding.

    • SSH from the browser with bastion host. To use this option, both the target and bastion instances must be in the same VPC network or in VPC networks that are connected.

      To connect using SSH from the browser with a bastion host, complete the following steps:

      1. Use SSH from the browser to connect to the bastion instance that has an external IP address. This step generates a temporary SSH key pair and uploads the public key to the project or instance metadata for the bastion host.
      2. From the bastion instance, connect to the target instance that only has an internal IP address. To connect to the target instance from the bastion instance, run the following command, replacing internal-ip with the internal IP address of the target instance:

        ssh -A internal-ip

        You must run this command within approximately two minutes after connecting to the bastion instance before you can use the temporary key generated in the first step.

  • Ctrl+W closes the window. Ctrl+W, Ctrl+F4, Ctrl+Tab, and other key combinations that work as browser keyboard shortcuts are not passed by the SSH client to the target system. To send these or other shortcuts, click the keyboard icon in the upper right of the window. If you use the Google Chrome browser, you can install the "SSH for Google Cloud Platform" extension. The extension improves the console experience for SSH from the browser and Cloud Shell by giving you direct access to keyboard shortcuts normally reserved by the browser, such as Ctrl+W.

  • File transfer can sometimes be slow for large files. We recommend that you use the gcloud compute scp command to transfer large files.

Handling the "Unable to connect on port 22" error message

You may see this error under the following conditions:

  • The instance is booting up and sshd is not running yet. Verify that the instance has finished booting up before trying again.

  • The instance is not running sshd. sshd runs by default on instances created from standard Compute Engine images. If you have manually disabled sshd or you have configured a custom image that isn't running this service, SSH from the browser doesn't work.

  • sshd is listening on a port other than the one you are connecting to. By default, SSH from the browser connects to the instance on port 22. If you are running sshd on a custom port, you can connect to that port by using the Open in browser window on custom port item in the SSH button drop-down list.

  • There is no firewall rule allowing SSH access on the port. SSH access on port 22 is enabled on all Compute Engine instances by default. If you have disabled access, SSH from the browser doesn't work. If you run sshd on a port other than 22, you need to enable the access to that port by using a custom firewall rule.

  • The firewall rule allowing SSH access is enabled but is not configured to allow connections from Cloud Console services. Source IP addresses for browser-based SSH sessions are dynamically allocated by Cloud Console and can vary from session to session. For the feature to work, you must allow connections either from any IP address or from Google's IP address range, which you can retrieve by using public SPF records.

  • The instance is shut down. Verify that the instance is up and running. For information about how you can troubleshoot an unhealthy instance, see General tips for using Compute Engine.

Handling the "Could not connect, retrying..." error

  • The instance might not be running the guest environment. Verify that the guest environment is installed and running.

  • The boot disk of the instance has run out of free space. When the connection is established, the guest environment updates the ~/.ssh/authorized_keys file with the public SSH key used for the current session. If the disk runs out of free space, the update fails. To identify issues with disk space, check the serial console output of the instance and look for "No space left" errors. Here are some methods that you can use to resolve disk space issues:

    • Resize the boot persistent disk of the instance to increase its size. If the operating system image used by the instance supports automatic resizing, this is the easiest option because the operating system automatically resizes the root partition to match the new size after the instance is restarted.
    • If you know which files are using the disk space, create a startup script that deletes the unnecessary files and frees space for the instance to start. Restart the instance so that the script executes and cleans the files. Be careful to use the correct command and delete the correct files. After your instance starts and you are able to connect to the instance through SSH, set the startup-script metadata item back so it does not continue to delete the files.
    • For information about how to access the instance's disk, see General tips for using Compute Engine.
  • The permissions or ownership on $HOME, $HOME/.ssh, or $HOME/.ssh/authorized_keys might be wrong.

    • Ownership The guest environment needs to be able to store the public SSH key in the $HOME/.ssh/authorized_keys file for the connecting user. Make sure that the owner of the $HOME directory, the $HOME/.ssh directory, and the authorized_keys file is the same as the connecting user.
    • Permissions Try connecting as a different user by changing the username and fix any permission issues for the user who can't connect.

      Directory/File Required Unix permission
      The $HOME directory 0755 or
      The $HOME/.ssh directory 0700
      The authorized_keys file 0600


You can copy and paste text by using the keyboard shortcuts supported by your browser and platform (Ctrl+C/Ctrl+V on Windows and Linux, Cmd+C/Cmd+V on macOS, and Ctrl+Shift+V on Chrome OS). In general, these commands work for most configurations, but your configuration might render different results. If you encounter problems copying and pasting large blocks of text, use file transfer instead.

Transfer files

If you can establish an SSH connection to an instance by using the SSH from the Browser window, you can use that connection to transfer files to the instance.

For more information, see Transferring files using SSH in the browser.


You can scroll the terminal using your mouse wheel or trackpad. Alternatively, the Ctrl+Shift+PageUp/Ctrl+Shift+PageDn keyboard shortcuts scroll the terminal on Windows and Linux, and Fn+Shift+Up/Fn+Shift+Down scroll the terminal on macOS.

Login username

Default username

By default, a username for SSH sessions is generated from the email address logged into the account, omitting the domain information. For example, if an email is, the corresponding username would be user.

Default username with OS Login enabled

If you have OS Login enabled, and a username is not set by a Google Workspace administrator, then a longer version of a username is set by default. This username includes the domain information. For example, if an email is, the corresponding username is user_gmail_com. For more information about OS Login behaviors, see Expected login behaviors.

Changing the default username

You can change the username from within an SSH window by following these instructions:

  1. Connect to a VM instance.
  2. In the upper-right corner of the SSH window, click the Settings icon Settings icon..
  3. Select Change Linux Username. There is a 32-character limit on the maximum length of the login name on Linux systems, so both default and configured usernames are truncated to not exceed that limit.
  4. (Optional) Copy data to the new home directory. Each new username is a different Unix user, so if you used your home directory to store any data, you can copy the data to the new directory by using the cp command. For example, if you change your username from user_gmail_com to user, run the following commands:

    # This will overwrite files in the target directory, so be careful.
    $ sudo cp -r /home/user_gmail_com/. /home/user
    $ sudo chown -R user:user /home/user

Using user-provided private SSH key

You can optionally connect with a user-provided private SSH key by selecting the Open in browser window using provided private SSH key item in the SSH button drop-down list.

To connect to your instances with a user-provided provide SSH key, complete these prerequisite steps:

  1. Enable the OS Login feature on your project or on individual instances.
  2. Configure the public SSH key with the user's OS Login profile. Include the project ID in the request to ensure your profile is properly configured.