GoogleComputeEngineSSHKeys

Differences between revisions 2 and 3
Revision 2 as of 2017-12-05 19:49:59
Size: 2309
Editor: davecore
Comment:
Revision 3 as of 2018-05-17 15:54:24
Size: 2157
Editor: davecore
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= OUTDATED! = In Google Compute Engine, you can connect to Ubuntu instances through either the Google Cloud Platform Console or the gcloud command-line tool. Google Compute Engine generates an SSH key for you and stores it in one of the following locations:
Line 3: Line 3:
/!\ The information on this page is out of date. ''Don't'' use it! Have a look at [[https://cloud.google.com/compute/docs/instances/connecting-to-instance|Connecting to Linux Instances]] and [[https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys|Managing Instance Access with SSH Keys]] instead.  *By default, Compute Engine adds the generated key to project or instance metadata.
 *If your account is configured to use OS Login, Compute Engine stores the generated key with your user account.
Line 5: Line 6:
-----
Line 7: Line 7:
When an Ubuntu instance is booted within a Google Compute Engine project, SSH keys are sourced from two places: the project-level metadata, and the instance-level metadata. There are two methods that are then used to put these keys in place on an Ubuntu instance: cloud-init and the GCE daemon. For more information, please refer to the [[https://cloud.google.com/compute/docs/instances/connecting-to-instance|Connecting to Linux Instances]] documentation from the Google Cloud documentation.
Line 9: Line 9:
Project-level SSH keys can be found either through the web interface in ‘Compute > Compute Engine > Metadata’ on the project page, or by looking at the value of `sshKeys` in the output of `gcloud compute project-info describe`. Each of these SSH keys specifies a user and a corresponding public key. There are Ubuntu-specific cloud-init behaviours for the ubuntu and cloudinit users. Cloud-init will add keys to the ubuntu user from the metadata for the cloudinit and ubuntu users.
Line 11: Line 11:
Instance-level SSH keys are specified in metadata on starting an instance; see https://cloud.google.com/compute/docs/instances#setting_up_ssh_keys_at_the_instance_level for more details on how this is done.

When an Ubuntu instance is started in Google Compute Engine project with project-level SSH keys, cloud-init will always create an `ubuntu` user and add all of the project-level SSH keys (regardless of the user name they are assigned to) to `.ssh/authorized_keys` in the `ubuntu` user’s home directory.

If instance-level SSH keys are provided, the GCE daemon will only apply those to an instance; project-level SSH keys are disregarded. If (and only if) instance-level SSH keys are not specified, the GCE daemon will apply project-level SSH keys.

Once the metadata to use has been determined, the GCE daemon will create a user for each SSH key, and add the corresponding public key to `.ssh/authorized_keys` in their home directory.

In pseudo-code, the GCE daemon does the following:
For example, assume the following 'mykeys' file that holds public SSH keys for 3 users (test, ubuntu and cloudinit) prefixed with "<username>:":
Line 22: Line 14:
    sshKeys = []
    if ‘sshKeys’ in instanceMetadata:
        sshKeys = instanceMetadata[‘sshKeys’]
    elif ‘sshKeys’ in projectMetadata:
        sshKeys = projectMetadata[‘sshKeys’]
    
    for username, publicKey in sshKeys:
        create_user(username)
        add_authorized_key_for_user(username, publicKey)
test:ssh-rsa <key for test user> test@example.com
ubuntu:ssh-rsa <key for ubuntu user> test@example.com
cloudinit:ssh-rsa <key for cloudinit user> test@example.com
Line 32: Line 18:

Create a new instance with these keys as instance metadata:

{{{
gcloud compute instances create ubuntu --image-family ubuntu-1604-lts \
       --image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=mykeys \
       --metadata=block-project-ssh-keys=True
}}}

The end result will be that the ubuntu user will get the two ubuntu and cloudinit keys from cloud-init. Note that it will also receive keys from the Google accounts daemon, but this is out of scope for this article:

{{{
root@ubuntu:~# cat /home/ubuntu/.ssh/authorized_keys

ssh-rsa <cloudinit key> test@example.com
ssh-rsa <ubuntu key> test@example.com
# Added by Google
ssh-rsa <also the ubuntu key, populated by the Google accounts daemon> test@example.com
}}}

For more information about managing SSH keys in Google Compute Engine with Metadata, see the Google Cloud documentation on [[https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys|Managing Instance Access with SSH Keys]].

In Google Compute Engine, you can connect to Ubuntu instances through either the Google Cloud Platform Console or the gcloud command-line tool. Google Compute Engine generates an SSH key for you and stores it in one of the following locations:

  • By default, Compute Engine adds the generated key to project or instance metadata.
  • If your account is configured to use OS Login, Compute Engine stores the generated key with your user account.

For more information, please refer to the Connecting to Linux Instances documentation from the Google Cloud documentation.

There are Ubuntu-specific cloud-init behaviours for the ubuntu and cloudinit users. Cloud-init will add keys to the ubuntu user from the metadata for the cloudinit and ubuntu users.

For example, assume the following 'mykeys' file that holds public SSH keys for 3 users (test, ubuntu and cloudinit) prefixed with "<username>:":

test:ssh-rsa <key for test user> test@example.com
ubuntu:ssh-rsa <key for ubuntu user> test@example.com
cloudinit:ssh-rsa <key for cloudinit user> test@example.com

Create a new instance with these keys as instance metadata:

gcloud compute instances create ubuntu --image-family ubuntu-1604-lts \
       --image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=mykeys \
       --metadata=block-project-ssh-keys=True

The end result will be that the ubuntu user will get the two ubuntu and cloudinit keys from cloud-init. Note that it will also receive keys from the Google accounts daemon, but this is out of scope for this article:

root@ubuntu:~# cat /home/ubuntu/.ssh/authorized_keys 

ssh-rsa <cloudinit key> test@example.com
ssh-rsa <ubuntu key> test@example.com
# Added by Google
ssh-rsa <also the ubuntu key, populated by the Google accounts daemon> test@example.com

For more information about managing SSH keys in Google Compute Engine with Metadata, see the Google Cloud documentation on Managing Instance Access with SSH Keys.

GoogleComputeEngineSSHKeys (last edited 2018-05-17 21:03:31 by davecore)