GoogleComputeEngineSSHKeys
2157
Comment:
|
2127
|
Deletions are marked like this. | Additions are marked like this. |
Line 3: | Line 3: |
*By default, Compute Engine adds the generated key to project or instance metadata. *If your account is configured to use OS Login, Compute Engine stores the generated key with your user account. |
*By default, Compute Engine adds the generated key to [[https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys|project or instance metadata]]. *If your account is configured to use [[https://cloud.google.com/compute/docs/instances/managing-instance-access|OS Login]], Compute Engine stores the generated key with your user account. |
Line 9: | Line 8: |
There are Ubuntu-specific cloud-init behaviours for the ubuntu and cloudinit users. Cloud-init will add keys to the ubuntu user from the metadata for the cloudinit and ubuntu users. | Starting from cloud-init version 17.2-20-g32a6a176-0ubuntu1, there are Ubuntu-specific cloud-init behaviours for the ubuntu and cloudinit users. Cloud-init will add keys to the ubuntu user from the metadata for the cloudinit and ubuntu users. |
Line 37: | Line 36: |
For more information about managing SSH keys in Google Compute Engine with Metadata, see the Google Cloud documentation on [[https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys|Managing Instance Access with SSH Keys]]. |
In Google Compute Engine, you can connect to Ubuntu instances through either the Google Cloud Platform Console or the gcloud command-line tool. Google Compute Engine generates an SSH key for you and stores it in one of the following locations:
By default, Compute Engine adds the generated key to project or instance metadata.
If your account is configured to use OS Login, Compute Engine stores the generated key with your user account.
For more information, please refer to the Connecting to Linux Instances documentation from the Google Cloud documentation.
Starting from cloud-init version 17.2-20-g32a6a176-0ubuntu1, there are Ubuntu-specific cloud-init behaviours for the ubuntu and cloudinit users. Cloud-init will add keys to the ubuntu user from the metadata for the cloudinit and ubuntu users.
For example, assume the following 'mykeys' file that holds public SSH keys for 3 users (test, ubuntu and cloudinit) prefixed with "<username>:":
test:ssh-rsa <key for test user> test@example.com ubuntu:ssh-rsa <key for ubuntu user> test@example.com cloudinit:ssh-rsa <key for cloudinit user> test@example.com
Create a new instance with these keys as instance metadata:
gcloud compute instances create ubuntu --image-family ubuntu-1604-lts \ --image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=mykeys \ --metadata=block-project-ssh-keys=True
The end result will be that the ubuntu user will get the two ubuntu and cloudinit keys from cloud-init. Note that it will also receive keys from the Google accounts daemon, but this is out of scope for this article:
root@ubuntu:~# cat /home/ubuntu/.ssh/authorized_keys ssh-rsa <cloudinit key> test@example.com ssh-rsa <ubuntu key> test@example.com # Added by Google ssh-rsa <also the ubuntu key, populated by the Google accounts daemon> test@example.com
GoogleComputeEngineSSHKeys (last edited 2018-05-17 21:03:31 by davecore)