When an Ubuntu instance is booted within a Google Compute Engine project, SSH keys are sourced from two places: the project-level metadata, and the instance-level metadata. There are two methods that are then used to put these keys in place on an Ubuntu instance: cloud-init and the GCE daemon.
Project-level SSH keys can be found either through the web interface in ‘Compute > Compute Engine > Metadata’ on the project page, or by looking at the value of sshKeys in the output of gcloud compute project-info describe. Each of these SSH keys specifies a user and a corresponding public key.
Instance-level SSH keys are specified in metadata on starting an instance; see https://cloud.google.com/compute/docs/instances#setting_up_ssh_keys_at_the_instance_level for more details on how this is done.
When an Ubuntu instance is started in Google Compute Engine project with project-level SSH keys, cloud-init will always create an ubuntu user and add all of the project-level SSH keys (regardless of the user name they are assigned to) to .ssh/authorized_keys in the ubuntu user’s home directory.
If instance-level SSH keys are provided, the GCE daemon will only apply those to an instance; project-level SSH keys are disregarded. If (and only if) instance-level SSH keys are not specified, the GCE daemon will apply project-level SSH keys.
Once the metadata to use has been determined, the GCE daemon will create a user for each SSH key, and add the corresponding public key to .ssh/authorized_keys in their home directory.
In pseudo-code, the GCE daemon does the following:
sshKeys =  if ‘sshKeys’ in instanceMetadata: sshKeys = instanceMetadata[‘sshKeys’] elif ‘sshKeys’ in projectMetadata: sshKeys = projectMetadata[‘sshKeys’] for username, publicKey in sshKeys: create_user(username) add_authorized_key_for_user(username, publicKey)