Revision 1 as of 2014-12-17 17:18:30

Clear message

When an Ubuntu instance is booted within a Google Compute Engine project, SSH keys are sourced from two places: the project-level metadata, and the instance-level metadata. There are two methods that are then used to put these keys in place on an Ubuntu instance: cloud-init and the GCE daemon.

Project-level SSH keys can be found either through the web interface in ‘Compute > Compute Engine > Metadata’ on the project page, or by looking at the value of sshKeys in the output of gcloud compute project-info describe. Each of these SSH keys specifies a user and a corresponding public key.

Instance-level SSH keys are specified in metadata on starting an instance; see for more details on how this is done.

When an Ubuntu instance is started in Google Compute Engine project with project-level SSH keys, cloud-init will always create an ubuntu user and add all of the project-level SSH keys (regardless of the user name they are assigned to) to .ssh/authorized_keys in the ubuntu user’s home directory.

If instance-level SSH keys are provided, the GCE daemon will only apply those to an instance; project-level SSH keys are disregarded. If (and only if) instance-level SSH keys are not specified, the GCE daemon will apply project-level SSH keys.

Once the metadata to use has been determined, the GCE daemon will create a user for each SSH key, and add the corresponding public key to .ssh/authorized_keys in their home directory.

In pseudo-code, the GCE daemon does the following:

    sshKeys = []
    if ‘sshKeys’ in instanceMetadata:
        sshKeys = instanceMetadata[‘sshKeys’]
    elif ‘sshKeys’ in projectMetadata:
        sshKeys = projectMetadata[‘sshKeys’]
    for username, publicKey in sshKeys:
        add_authorized_key_for_user(username, publicKey)