Differences between revisions 1 and 2
Revision 1 as of 2014-12-17 17:18:30
Size: 1964
Comment: Create page
Revision 2 as of 2017-12-05 19:49:59
Size: 2309
Editor: davecore
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:

/!\ The information on this page is out of date. ''Don't'' use it! Have a look at [[|Connecting to Linux Instances]] and [[|Managing Instance Access with SSH Keys]] instead.



Warning /!\ The information on this page is out of date. Don't use it! Have a look at Connecting to Linux Instances and Managing Instance Access with SSH Keys instead.

When an Ubuntu instance is booted within a Google Compute Engine project, SSH keys are sourced from two places: the project-level metadata, and the instance-level metadata. There are two methods that are then used to put these keys in place on an Ubuntu instance: cloud-init and the GCE daemon.

Project-level SSH keys can be found either through the web interface in ‘Compute > Compute Engine > Metadata’ on the project page, or by looking at the value of sshKeys in the output of gcloud compute project-info describe. Each of these SSH keys specifies a user and a corresponding public key.

Instance-level SSH keys are specified in metadata on starting an instance; see for more details on how this is done.

When an Ubuntu instance is started in Google Compute Engine project with project-level SSH keys, cloud-init will always create an ubuntu user and add all of the project-level SSH keys (regardless of the user name they are assigned to) to .ssh/authorized_keys in the ubuntu user’s home directory.

If instance-level SSH keys are provided, the GCE daemon will only apply those to an instance; project-level SSH keys are disregarded. If (and only if) instance-level SSH keys are not specified, the GCE daemon will apply project-level SSH keys.

Once the metadata to use has been determined, the GCE daemon will create a user for each SSH key, and add the corresponding public key to .ssh/authorized_keys in their home directory.

In pseudo-code, the GCE daemon does the following:

    sshKeys = []
    if ‘sshKeys’ in instanceMetadata:
        sshKeys = instanceMetadata[‘sshKeys’]
    elif ‘sshKeys’ in projectMetadata:
        sshKeys = projectMetadata[‘sshKeys’]
    for username, publicKey in sshKeys:
        add_authorized_key_for_user(username, publicKey)

GoogleComputeEngineSSHKeys (last edited 2018-05-17 21:03:31 by davecore)