Unable to deprovision local users created in path /etc/passwd after disconnecting from a Compute Engine instance

Problem

You observe that local users created in path /etc/passwd after connecting to the Google Compute Engine instance persist even after the console session is closed.

Environment

  • Any Debian-based Google Compute Engine image 

Solution

  1. Enable OS login: when used, the Guest Agent will not create local users.
OR
  1. Alternatively, you can use the deprovision_remove configuration. This configuration will deprovision any user that does not have an SSH key in the metadata. It will trigger a userdel command for that user. However, this option is destructive and not generally recommended.

If you like to test or confirm the Guest Agent's behavior, you can use the userdel command to remove any users already created. The --remove flag will remove the user's home directory as well.

Cause

Google Compute Engine's guest agent does not deprovision local users after a connection has been terminated.