In Google Compute Engine, you can connect to Ubuntu instances through either the Google Cloud Platform Console or the gcloud command-line tool. Google Compute Engine generates an SSH key for you and stores it in one of the following locations:
By default, Compute Engine adds the generated key to project or instance metadata.
If your account is configured to use OS Login, Compute Engine stores the generated key with your user account.
For more information, please refer to the Connecting to Linux Instances documentation from the Google Cloud documentation.
Starting from cloud-init version 17.2-20-g32a6a176-0ubuntu1, there are Ubuntu-specific cloud-init behaviours for the ubuntu and cloudinit users. Cloud-init will add keys to the ubuntu user from the metadata for the cloudinit and ubuntu users.
For example, assume the following 'mykeys' file that holds public SSH keys for 3 users (test, ubuntu and cloudinit) prefixed with "<username>:":
test:ssh-rsa <key for test user> test@example.com ubuntu:ssh-rsa <key for ubuntu user> test@example.com cloudinit:ssh-rsa <key for cloudinit user> test@example.com
Create a new instance with these keys as instance metadata:
gcloud compute instances create ubuntu --image-family ubuntu-1604-lts \
--image-project ubuntu-os-cloud --metadata-from-file=ssh-keys=mykeys \
--metadata=block-project-ssh-keys=TrueThe end result will be that the ubuntu user will get the two ubuntu and cloudinit keys from cloud-init. Note that it will also receive keys from the Google accounts daemon, but this is out of scope for this article:
root@ubuntu:~# cat /home/ubuntu/.ssh/authorized_keys ssh-rsa <cloudinit key> test@example.com ssh-rsa <ubuntu key> test@example.com # Added by Google ssh-rsa <also the ubuntu key, populated by the Google accounts daemon> test@example.com
Also note that the ubuntu user will still receive the ubuntu and cloudinit public keys from the metadata even when OS Login is enabled.