Some or all of the information on this page might not apply to Trusted Cloud by S3NS. See Differences from Google Cloud for more details.

Add SSH keys to VMs

This document describes how to add SSH keys to virtual machine (VM) instances.

Before you begin

If you haven't already, create an SSH key pair.
If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Trusted Cloud by S3NS services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:

Select the tab for how you plan to use the samples on this page:
Console

When you use the Trusted Cloud console to access Trusted Cloud by S3NS services and APIs, you don't need to set up authentication.
gcloud
1. Install the Google Cloud CLI, and then sign in to the gcloud CLI with your federated identity. After signing in, initialize the Google Cloud CLI by running the following command:
  gcloud init
  Note: If you installed the gcloud CLI previously, make sure you have the latest version by running gcloud components update.
2. Set a default region and zone.
Terraform

To use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
For more information, see Set up authentication for a local development environment.
REST

To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
For more information, see Authenticate for using REST in the Trusted Cloud authentication documentation.

Add SSH keys to VMs that use metadata-based SSH keys

VMs store SSH keys in Compute Engine project and instance metadata. If OS Login is enabled for a VM, then the VM's guest agent ignores the keys stored in metadata.

You can use SSH keys stored in project metadata to access all VMs in a project. You can use SSH keys stored in instance metadata to access individual VMs.

Compute Engine doesn't automatically remove expired SSH keys from metadata at expiration time, but expired keys can't be used to establish new connections to VMs. If you want to remove expired keys from metadata, see Remove SSH keys from VMs that use metadata-based keys.

You can add a public SSH key to project or VM instance metadata using the Trusted Cloud console, the gcloud CLI, or REST. You can't set zonal metadata values for SSH keys.

Add SSH keys to project metadata

You can add a public SSH key to project metadata to access all VMs in a project, except VMs that block project-wide SSH keys. For more information about blocking project-wide SSH keys, see Block SSH keys from VMs that use metadata-based SSH keys.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.projects.setCommonInstanceMetadata on the project.
iam.serviceAccounts.actAs on the project. For more information about service account permissions, see Roles for service account authentication.

Console

To add a public SSH key to project metadata using the Trusted Cloud console, do the following:

In the Trusted Cloud console, go to the Metadata page.

Go to Metadata
Click the SSH keys tab.
Click Edit.
Click Add item.
In the SSH key field that opens, add your public SSH key. The key must be in one of the following formats:
- Format for a key without an expiration time:
```
KEY_VALUE USERNAME
```
- Format for a key with an expiration time:
```
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
Replace the following:
- KEY_VALUE: the public SSH key value
- USERNAME: your username. For example, cloudysanfrancisco or cloudysanfrancisco_gmail_com.
  For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connect to Linux VMs as the root user.
  
  For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
- EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000
Click Save.

gcloud

In the Trusted Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Trusted Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

If there are existing SSH keys in project metadata, you must re-add them to project metadata every time you add a new SSH key using the gcloud CLI. If you don't re-add your existing keys, adding a new key erases the existing keys.

To add a public SSH key to project metadata using the gcloud CLI, do the following:
1. If your project already has project-wide public SSH keys, get them from metadata and add them to a new file:
  1. Run the gcloud compute project-info describe command to get the SSH keys for the project:
```
gcloud compute project-info describe \
 --format="value(commonInstanceMetadata[items][ssh-keys])"
```
    The output is similar to the following:
```
username:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... username:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...
```
  2. Copy the ssh-keys metadata value.
  3. Create and open a new text file on your workstation.
  4. In the file, paste the list of keys that you just copied.
  5. Add your new key at the end of the list, in one of the following formats:
    - Format for a key without an expiration time:
      USERNAME:KEY_VALUE
    - Format for a key with an expiration time:
      USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
    Replace the following:
    - KEY_VALUE: the public SSH key value
    - USERNAME: your username. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.
      For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.
      
      For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
    - EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000
  6. Save and close the file.
2. Run the gcloud compute project-info add-metadata command to set the project-wide ssh-keys value:
```
gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=KEY_FILE
```
  Replace KEY_FILE with one of the following:
  - The path to the file you created in the previous step, if the project had existing SSH keys
  - The path to your new public SSH key file, if the project didn't have existing SSH keys

Terraform

To add a public SSH key to your project metadata, use the google_compute_project_metadata resource.

resource "google_compute_project_metadata" "default" {
  metadata = {
    ssh-keys = <<EOF
      dev:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT dev
      test:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT test
    EOF
  }
}

REST

If there are existing SSH keys in project metadata, you must re-add them to project metadata every time you add a new SSH key using the the Compute Engine API. If you don't re-add your existing keys, adding a new key erases the existing keys.

To add a public SSH key to project metadata using the Compute Engine API, do the following:

Get the fingerprint and ssh-keys values from metadata by using the projects.get method

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID

Replace PROJECT_ID with your project ID.

The response is similar to the following:

...
"fingerprint": "utgYE_XWtE8=",
"items": [
{
 "key": "ssh-keys",
 "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF...\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"
}
]
...

Add the new ssh-keys value by using the projects.setCommonInstanceMetadata method.
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/setCommonInstanceMetadata

{
"items": [
 {
  "key": "ssh-keys",
  "value": "EXISTING_SSH_KEYS\nNEW_SSH_KEY"
 }
]
"fingerprint": "FINGERPRINT"
}
```
Replace the following:
- PROJECT_ID: your project ID
- EXISTING_SSH_KEYS: the value of the ssh-keys key from the response of the projects.get request
- FINGERPRINT: the value of the fingerprint from the response of the projects.get request
- NEW_SSH_KEY: the new SSH key, in one of the following formats:
  - Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```
  - Format for a key with an expiration time:
```
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.
    For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.
    
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000

Add SSH keys to instance metadata

You can add a public SSH key to instance metadata when you create a VM or after you create a VM.

Add SSH keys to instance metadata during VM creation

You can add SSH keys to instance metadata during VM creation, using the Trusted Cloud console, gcloud CLI, or Compute Engine API.

Console

To create an instance and add a public SSH key to instance metadata at the same time using the Trusted Cloud console, do the following:

In the Trusted Cloud console, go to the Create an instance page.

Go to Create an instance
To add a public SSH key to instance metadata, do the following:
1. In the navigation menu, click Security.
2. Expand the Manage access section.
3. To disable OS Login, clear the Control VM access through IAM permissions checkbox.
4. If you want to allow public SSH keys in project metadata to access the instance, clear the Block project-wide SSH keys checkbox.
5. In the Add manually generated SSH keys section, click Add item.
6. Add your public key in the text box. The key must be in one of the following formats:
  - Format for a key without an expiration time:
```
KEY_VALUE USERNAME
```
  - Format for a key with an expiration time:
```
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example, cloudysanfrancisco or cloudysanfrancisco_gmail_com.
    For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connect to Linux VMs as the root user.
    
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000
Optional: Specify other configuration options. For more information, see Configuration options during instance creation.
To create and start the instance, click Create.

gcloud

In the Trusted Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Trusted Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To create a VM and add a public SSH key to instance metadata at the same time using the gcloud CLI, use the gcloud compute instances create command:
```
gcloud compute instances create VM_NAME \
   --metadata=ssh-keys=PUBLIC_KEY
```
Replace the following:
- VM_NAME: the name of the new VM
- PUBLIC_KEY: your public SSH key, in one of the following formats:
  - Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```
  - Format for a key with an expiration time:
```
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.
    For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.
    
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000
You can add multiple SSH keys by using the --metadata-from-file=ssh-keys=FILE_PATH flag. In the file, add a list of usernames and public SSH keys in one of the preceding formats.

Terraform

To add a public SSH key to your instance metadata, use the google_compute_instance resource.

resource "google_compute_instance" "default" {
  name         = "my-vm"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "ubuntu-1404-trusty-v20160627"
    }
  }

  # Local SSD disk
  scratch_disk {
    interface = "SCSI"
  }

  network_interface {
    network = "default"
    access_config {}
  }
  metadata = {
    "ssh-keys" = <<EOT
      dev:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT dev
      test:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT test
     EOT
  }
}

REST

To create a VM and add a public SSH key to instance metadata at the same time using the Compute Engine, construct a POST request to the instances.insert method:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances

Replace the following:

PROJECT_ID: the project ID
ZONE: the zone of the VM

In the body of the request, provide usernames and public SSH keys in the items property:

...
{
 "items": [
    {
     "key": "ssh-keys",
     "value": "PUBLIC_KEY"
    }
   ]
}
...

Replace PUBLIC_KEY with your public key, in one of the following formats:

Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```

Format for a key with an expiration time:

USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}

Replace the following:

KEY_VALUE: the public SSH key value
USERNAME: your username. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.
For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.

For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000

You can add multiple SSH keys by adding \n between keys.

Add SSH keys to instance metadata after VM creation

You can add SSH keys to instance metadata after VM creation, using the Trusted Cloud console, gcloud CLI, or Compute Engine API.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.setMetadata on the VM

Console

To add a public SSH key to instance metadata using the Trusted Cloud console, do the following:

In the Trusted Cloud console, go to the VM instances page.

Go to VM Instances
Click the name of the VM that you want to add an SSH key for.
Click Edit.
Under SSH Keys, click Add item.
Add your public key into the text box. The key must be in one of the following formats:
- Format for a key without an expiration time:
```
KEY_VALUE USERNAME
```
- Format for a key with an expiration time:
```
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
Replace the following:
- KEY_VALUE: the public SSH key value
- USERNAME: your username. For example, cloudysanfrancisco or cloudysanfrancisco_gmail_com.
  For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connect to Linux VMs as the root user.
  
  For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
- EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000
Click Save.

gcloud

In the Trusted Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Trusted Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
If there are existing SSH keys in instance metadata, you must re-add them to instance metadata every time you add a new SSH key using the gcloud CLI. If you don't re-add your existing keys, adding a new key erases the existing keys.

To add a public SSH key to instance metadata using the gcloud CLI, do the following:
1. If your VM already has instance-level public SSH keys, get them from metadata and add them to a new file:
  1. Run the gcloud compute instances describe command to get the metadata for the VM:
```
gcloud compute instances describe VM_NAME
```
    Replace VM_NAME with the name of the VM for which you need to add or remove public SSH keys.
    
    The output is similar to the following:
```
...
metadata:
...
- key: ssh-keys
 value: |-
   cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF...
   baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}
...
```
  2. Copy the ssh-keys metadata value.
  3. Create and open a new text file on your workstation.
  4. In the file, paste the list of keys that you just copied.
  5. Add your new key at the end of the list, in one of the following formats:
  - Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```
  - Format for a key with an expiration time:
```
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.
    For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.
    
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000
  1. Save and close the file.
2. Run the gcloud compute instances add-metadata command to set the ssh-keys value:
```
gcloud compute instances add-metadata VM_NAME --metadata-from-file ssh-keys=KEY_FILE
```
  Replace the following:
  - VM_NAME: the VM you want to add the SSH key for
  - KEY_FILE with one of the following:
  - The path to the file you created in the previous step, if the VM had existing SSH keys
  - The path to your new public SSH key file, if the VM didn't have existing SSH keys

REST

If there are existing SSH keys in instance metadata, you must re-add them to instance metadata every time you add a new SSH key using the Compute Engine API. If you don't re-add your existing keys, adding a new key erases the existing keys.

To add a public SSH key to instance metadata using the Compute Engine API, do the following:

Get the fingerprint and ssh-keys values from metadata by using the instances.get method.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME

Replace the following:

PROJECT_ID: your project ID
ZONE: the zone of the VM to add an SSH key
VM_NAME: the VM you're adding an SSH key for

The response is similar to the following:

...
"fingerprint": "utgYE_XWtE8=",
"items": [
{
 "key": "ssh-keys",
  "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF...\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"
}
]
...

Add the new ssh-keys value by using the instances.setMetadata method.
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata

{
"items": [
 {
  "key": "ssh-keys",
  "value": "EXISTING_SSH_KEYS\nNEW_SSH_KEY"
 }
]
"fingerprint": "FINGERPRINT"
}
```
Replace the following:
- PROJECT_ID: your project ID
- EXISTING_SSH_KEYS: the value of the ssh-keys key from the response of the instances.get request
- FINGERPRINT: the fingerprint from the response of the projects.get request
- NEW_SSH_KEY: the new SSH key, in one of the following formats:
  - Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```
  - Format for a key with an expiration time:
```
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example, cloudysanfrancisco, or cloudysanfrancisco_gmail_com.
    For Linux VMs, the USERNAME can't be root, unless you configure your VM to allow root login. For more information, see Connecting to instances as the root user.
    
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format of DOMAIN\. For example, the user cloudysanfrancisco within the ad.example.com AD has a USERNAME of example\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, in ISO 8601 format. For example: 2021-12-04T20:12:00+0000

What's next?

Learn how to connect to VMs.
Learn how to transfer files to VMs.
Learn how SSH connections to Linux VMs work on Compute Engine.