GoogleComputeEngineSSHKeys

Differences between revisions 1 and 2
Revision 1 as of 2014-12-17 17:18:30
Size: 1964
Comment: Create page
Revision 2 as of 2017-12-05 19:49:59
Size: 2309
Editor: davecore
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= OUTDATED! =

/!\ The information on this page is out of date. ''Don't'' use it! Have a look at [[https://cloud.google.com/compute/docs/instances/connecting-to-instance|Connecting to Linux Instances]] and [[https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys|Managing Instance Access with SSH Keys]] instead.

-----

OUTDATED!

Warning /!\ The information on this page is out of date. Don't use it! Have a look at Connecting to Linux Instances and Managing Instance Access with SSH Keys instead.


When an Ubuntu instance is booted within a Google Compute Engine project, SSH keys are sourced from two places: the project-level metadata, and the instance-level metadata. There are two methods that are then used to put these keys in place on an Ubuntu instance: cloud-init and the GCE daemon.

Project-level SSH keys can be found either through the web interface in ‘Compute > Compute Engine > Metadata’ on the project page, or by looking at the value of sshKeys in the output of gcloud compute project-info describe. Each of these SSH keys specifies a user and a corresponding public key.

Instance-level SSH keys are specified in metadata on starting an instance; see https://cloud.google.com/compute/docs/instances#setting_up_ssh_keys_at_the_instance_level for more details on how this is done.

When an Ubuntu instance is started in Google Compute Engine project with project-level SSH keys, cloud-init will always create an ubuntu user and add all of the project-level SSH keys (regardless of the user name they are assigned to) to .ssh/authorized_keys in the ubuntu user’s home directory.

If instance-level SSH keys are provided, the GCE daemon will only apply those to an instance; project-level SSH keys are disregarded. If (and only if) instance-level SSH keys are not specified, the GCE daemon will apply project-level SSH keys.

Once the metadata to use has been determined, the GCE daemon will create a user for each SSH key, and add the corresponding public key to .ssh/authorized_keys in their home directory.

In pseudo-code, the GCE daemon does the following:

    sshKeys = []
    if ‘sshKeys’ in instanceMetadata:
        sshKeys = instanceMetadata[‘sshKeys’]
    elif ‘sshKeys’ in projectMetadata:
        sshKeys = projectMetadata[‘sshKeys’]
    
    for username, publicKey in sshKeys:
        create_user(username)
        add_authorized_key_for_user(username, publicKey)

GoogleComputeEngineSSHKeys (last edited 2018-05-17 21:03:31 by davecore)