Linux
Windows
This document describes how to prevent users from accessing virtual machine (VM)
instances by removing and blocking SSH keys from VMs.
Before you begin
Remove SSH keys
You can remove SSH keys from
VMs that use OS Login
and
VMs that use metadata-based SSH keys
.
Remove SSH keys from VMs that use OS Login
VMs that use OS Login accept SSH keys that are associated with your Google
account. You can remove a public SSH key from your user account using the
Google Cloud CLI or the OS Login API. If you're an administrator for your
organization, you can remove SSH keys from user accounts using the
Directory API
.
Compute Engine automatically removes expired keys from your Google Account.
gcloud
To remove a public SSH key from your account, do the following:
If you don't know which key you want to remove, run the
gcloud compute os-login describe-profile
command
to view all keys associated with your account:
gcloud compute os-login describe-profile
Copy the
fingerprint
value of the key you want to delete.
Remove the key from your account using the
gcloud compute os-login ssh-keys remove
command
:
gcloud compute os-login ssh-keys remove --key=
KEY
Replace
KEY
with the public SSH key you want to
remove, or the OS Login fingerprint for the key you want to remove.
REST
To remove a public SSH key from your account, do the following:
If you don't know which key you want to remove, use the
users.getLoginProfile
method
to view all keys associated with your account:
GET https://oslogin.googleapis.com/v1/users/
ACCOUNT_EMAIL
/loginProfile
Replace
ACCOUNT_EMAIL
with the email address
associated with your account.
Copy the
fingerprint
value of the key you want to delete.
Remove the key from your account using the
users.sshPublicKeys.delete
method
:
DELETE https://oslogin.googleapis.com/v1/users/
ACCOUNT_EMAIL
/sshPublicKeys/
FINGERPRINT
Replace the following:
ACCOUNT_EMAIL
: the email address associated with
your account
FINGERPRINT
: the SHA-256 fingerprint of the key to
remove
You can remove a public SSH key from project or instance metadata using the
Google Cloud console, the gcloud CLI, or the Compute Engine API.
After you remove the last key from metadata for a particular user, or the last
key in metadata for a particular user expires, Compute Engine deletes the
user's
~/.ssh/authorized_keys
file on the VM.
Caution: If you manage SSH keys in metadata, you might disrupt the ability of
your project members to connect to VMs. Additionally, you risk granting users,
including users outside of your project, unintended access to VMs. For more
information, see
risks of manual key management
.
Remove a public key from project metadata
Remove a public SSH key from project metadata to remove access to all VMs in a
project.
When you remove a key from metadata using the gcloud CLI and the
Compute Engine API, you must retrieve the list of existing keys, edit the list
of keys to remove the unwanted keys, and overwrite the old keys with the list of
keys you want to keep, as explained in the following section.
Permissions required for this task
To perform this task, you must have the following
permissions
:
compute.projects.setCommonInstanceMetadata
Console
To remove a public SSH key from project metadata using the
Google Cloud console, do the following:
In the Google Cloud console, go to the
Metadata
page.
Go to Metadata
Click the
SSH keys
tab.
Click
edit
Edit
at the top of
the page.
Navigate to the SSH key that you want to remove and click the
delete
delete button next to the
SSH key.
Repeat this step for each SSH key that you want to remove.
Click
Save
.
gcloud
To remove a public SSH key from project metadata using the
gcloud CLI, do the following:
Run
gcloud compute project-info describe
command
to get the metadata for the project:
gcloud compute project-info describe
The output is similar to the following:
...
metadata:
...
- key: ssh-keys
value: |-
cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF
baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}
...
Copy the
ssh-keys
metadata value.
Create and open a new text file on your workstation.
In the file, paste the list of SSH keys that you just copied, then delete
any keys you want to remove from project metadata.
Save and close the file.
Run the
gcloud compute project-info add-metadata
command
to set the project-wide
ssh-keys
value:
gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=
KEY_FILE
Replace
KEY_FILE
with one of the following:
- the path to the file you created in the previous step, if the project
had existing SSH keys
- the path to your new public SSH key file, if the project didn't have
existing SSH keys
REST
To remove a public SSH key from project metadata using the
Compute Engine API, do the following:
Use the
projects.get
method to get the
fingerprint
and
ssh-keys
values from metadata.
GET https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
Replace
PROJECT_ID
with your project ID.
The response is similar to the following:
...
"fingerprint": "utgYE_XWtE8=",
"items": [
{
"key": "ssh-keys",
"value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"
}
]
...
Copy the list of SSH key values and delete the keys you want to remove.
Use the
projects.setCommonInstanceMetadata
to remove the SSH keys.
POST https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
/setCommonInstanceMetadata
{
"items": [
{
"key": "ssh-keys",
"value": "
EXISTING_SSH_KEYS
"
}
]
"fingerprint": "
FINGERPRINT
"
}
Replace the following:
PROJECT_ID
: your project ID
EXISTING_SSH_KEYS
: the list of the SSH keys
you want to keep
FINGERPRINT
: the value of the
fingerprint
from the response of the
projects.get
request
Remove a public SSH key from instance metadata
Remove a public SSH key from instance metadata to remove access to a single VM.
When you remove a key from metadata using the gcloud CLI and the
Compute Engine API, you must retrieve the list of existing keys, edit
the list of keys to remove the unwanted keys, and overwrite the old keys with
the list of keys you want to keep, as explained in the following section.
Permissions required for this task
To perform this task, you must have the following
permissions
:
compute.instances.setMetadata
Console
To remove a public SSH key from instance metadata using the
Google Cloud console, do the following:
In the Google Cloud console, go to the
Metadata
page.
Go to Metadata
Click the name of the VM that you want to remove a key for.
Click
Edit
.
In the center pane, under
SSH Keys
, click
Show and edit
. The
section expands to show all of the instance-level public SSH keys.
Click the removal button next to the key you want to remove:
Click
Save
.
gcloud
To remove a public SSH key from instance metadata using the
gcloud CLI, do the following:
Run
gcloud compute instances describe
command
to get the metadata for the VM:
gcloud compute instances describe
VM_NAME
Replace
VM_NAME
with the name of the VM for which you need to
add or remove public SSH keys.
The output is similar to the following:
...
metadata:
...
- key: ssh-keys
value: |-
cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF
baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}
...
Copy the
ssh-keys
metadata value.
Create and open a new text file on your local workstation.
In the file, paste the list of SSH keys that you just copied, then remove
any keys you want to delete.
Save and close the file.
Run the
gcloud compute project-info add-metadata
command
to set the project-wide
ssh-keys
value:
gcloud compute instances add-metadata
VM_NAME
--metadata-from-file ssh-keys=
KEY_FILE
Replace the following:
VM_NAME
: the VM you want to remove the
SSH key for
KEY_FILE
: the path to the file that contains
the list of all project SSH keys
REST
To remove a public SSH key from instance metadata using the
Compute Engine API, do the following:
Use the
instances.get
method to get the
fingerprint
and
ssh-keys
values from metadata.
GET https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
/zones/
ZONE
/instances/
VM_NAME
Replace the following:
PROJECT_ID
: your project ID
ZONE
: the zone of the VM you're adding an SSH
key for
VM_NAME
: the VM you're adding an SSH key for
The response is similar to the following:
...
"fingerprint": "utgYE_XWtE8=",
"items": [
{
"key": "ssh-keys",
"value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"
}
]
...
Copy the list of SSH key values and delete the keys you want to remove.
Use the
instances.setMetadata
to remove the SSH keys.
POST https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
/zones/
ZONE
/instances/
VM_NAME
/setMetadata
{
"items": [
{
"key": "ssh-keys",
"value": "
EXISTING_SSH_KEYS
}
]
"fingerprint": "
FINGERPRINT
"
}
Replace the following:
PROJECT_ID
: your project ID
EXISTING_SSH_KEYS
: the value of the
ssh-keys
key from the response of the
projects.get
request
FINGERPRINT
: the value of the
fingerprint
from the response of the
instances.get
request
Block project SSH keys from VMs that use metadata-based SSH keys
You can prevent VMs from accepting SSH keys that are stored in project metadata
by blocking project SSH keys from VMs. You can block project SSH keys from VMs
when you create a VM
or
after you create a VM
.
Block project SSH keys from a VM during VM creation
You can block project SSH keys from VMs during VM creation, using the
Google Cloud console, gcloud CLI, or Compute Engine API.
Console
To create a VM and block it from accepting SSH keys stored in project
metadata using the Google Cloud console, do the following:
In the Google Cloud console, go to the
Create an instance
page.
Go to Create an instance
Specify the VM details.
Expand the
Advanced options
section, and do the following:
Expand the
Security
section.
Check
Block project-wide SSH keys
.
To create and start the VM, click
Create
.
gcloud
To create a VM and block it from accepting SSH keys stored in project
metadata using the gcloud CLI, use the
gcloud compute instances create
command
:
gcloud compute instances create
VM_NAME
\
--metadata block-project-ssh-keys=TRUE
Replace
VM_NAME
with the name of the new VM.
REST
To create a VM and block it from accepting SSH keys stored in project
metadata using the Compute Engine, construct a
POST
request to the
instances.insert
method
:
POST https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
/zones/
ZONE
/instances
Replace the following:
PROJECT_ID
: the project ID
ZONE
: the zone of the VM
In the body of the request, provide usernames and public SSH keys in the
items
property:
...
{
"items": [
{
"key": "block-project-ssh-keys",
"value": TRUE
}
]
}
...
Block project SSH keys from a VM after VM creation
You can block project SSH keys from VMs after VM creation using the
Google Cloud console, gcloud CLI, or Compute Engine API.
Permissions required for this task
To perform this task, you must have the following
permissions
:
compute.projects.setCommonInstanceMetadata
Console
To block VMs from accepting connections from SSH keys stored in project
metadata using the Google Cloud console, do the following:
In the Google Cloud console, go to the
Metadata
page.
Go to Metadata
Click the name of the VM that you want to block project SSH keys for.
Click
Edit
.
Under
SSH Keys
, select the
Block project-wide SSH keys
checkbox.
When you have finished editing the connection setting for SSH keys, click
Save
.
gcloud
To block VMs from accepting connections from SSH keys stored in project
metadata using the gcloud CLI, do the following:
Run the
gcloud compute instances add-metadata
command
:
gcloud compute instances add-metadata
VM_NAME
--metadata block-project-ssh-keys=TRUE
Replace
VM_NAME
with the name of the VM for which
you want to block project-wide public SSH keys.
REST
To block VMs from accepting connections from SSH keys stored in project
metadata using the Compute Engine API, do the following:
Use the
instances.get
method to get the
fingerprint
from metadata.
GET https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
/zones/
ZONE
/instances/
VM_NAME
Replace the following:
PROJECT_ID
: your project ID
ZONE
: the zone of the VM you're adding an SSH
key for
VM_NAME
: the VM you're adding an SSH key for
The response is similar to the following:
...
"fingerprint": "utgYE_XWtE8="
...
Use the
instances.setMetadata
method
to set
block-project-ssh-keys
to
TRUE
:
POST https://compute.googleapis.com/compute/v1/projects/
PROJECT_ID
/zones/
ZONE
/instances/
VM_NAME
/setMetadata
{
"items": [
{
"key": "block-project-ssh-keys",
"value": TRUE
}
]
"fingerprint": "
FINGERPRINT
"
}
Replace the following:
PROJECT_ID
is your project ID
ZONE
is the zone where your instance is located
INSTANCE_NAME
is the instance where you want to
block project-wide keys.
FINGERPRINT
: the value of the
fingerprint
from the response of the
instances.get
request.
What's next?