How to access SSH keys for a Google Cloud Platform Compute Engine VM instance?

Asked 17/12, 2014 at 22:21 Answered 11/8, 2021 at 11:25

Solved ssh virtual-machine google-compute-engine ssh-keys gcloud-compute

I created a new instance via the Google Cloud web console from a CentOS 6.x image. I saw a blank on the creation form where I could paste in an existing SSH key; since this was my first instance, I didn't have one yet. I assumed it would take me through the key creation process like Amazon EC2 does. It didn't.

The instance appears to be created, but I can't figure out how to get the SSH key for it. The instance web page has a button that says "SSH" and it let me log in briefly via a pop-up web browser window that simulates an SSH session. However, it only let me into a user-level account, not root. The pop-up had a menu item to change the user and changing it to root does nothing but generate connection errors. Now I can't log into my instance at all!

I've searched but can't find any straight-forward documentation that explains this aspect of Google Compute instances.

Do I have to create my own SSH keys manually and paste them into the form during instance creation? Is there an obvious step I'm missing?

Phototherapy answered 17/12, 2014 at 22:21 Comment(0)

100

By default, a new Google Compute Engine (GCE) VM instance does not have SSH keys pre-assigned to it, so you cannot "retrieve" them as they don't exist—it's up to you to create them, or use a tool like gcloud (see below) which will prompt you to create them if you don't have SSH keys yet.

You have several options for connecting to your newly-created GCE VM.

One option is to connect using the "SSH" button in the Developer Console GUI next to the instance in the list of instances, which will open a browser window and a terminal session to the instance.

If you would like to connect via SSH client on the command-line, you can use gcloud tool (part of the Google Cloud SDK):

gcloud compute ssh example-instance

You can see the full set of flags and options on the gcloud compute ssh help page, along with several examples.

If you don't already have SSH keys, it will prompt you to create them and then connect to the instance. If you already have keys, you can use existing SSH keys, which it will transfer to the instance.

By default, gcloud expects keys to be located at the following paths:

$HOME/.ssh/google_compute_engine – private key
$HOME/.ssh/google_compute_engine.pub – public key

If you want to reuse keys from a different location with gcloud, consider either making symlinks or pointing gcloud there using the --ssh-key-file flag.

Note: if you don't use gcloud at all, you have to manually add the SSH keys to the instance's metadata as described in Setting up ssh keys at the instance level which you can do via gcloud or manually via Google Cloud console.

You can also create your own keys using ssh-keygen which is what gcloud will also use under the covers. You can connect to the instance using ssh directly instead of gcloud but you will need to specify extra parameters to do so:

ssh -i KEY_FILE -o UserKnownHostsFile=/dev/null \
    -o CheckHostIP=no -o StrictHostKeyChecking=no \
    USER@IP_ADDRESS

which will require the following parameters:

KEY_FILE – [Required] The file where the keys are stored on the computer, e.g., ~/.ssh/google_compute_engine.
USER – [Required] The username to log in that instance. Typically, this is the username of the local user running gcloud compute.
IP_ADDRESS – [Required] The external IP address of the instance.

For more details, see the SSH docs.

Transom answered 17/12, 2014 at 23:34 Comment(6)

I think you're saying that when a new instance is created there are no ssh keys? And I can't create ssh keys in the conventional manner that I would for a CentOS server. Instead I have to create the ssh keys using the Google tool glcoud. But once created, I can ssh to the instance normally (i.e. without gcloud or the the web-based ssh). I'll give it a try. Only remaining question is whether that will get me root access. On EC2 you set the root ssh keys during instance creation and then create user-level ssh keys later. Is the ssh key generated by gcloud the root key? – Phototherapy 18/12, 2014 at 0:28

There are no SSH keys added to the instance by default. I've updated the answer for info on using sshk-keygen and ssh directly. Your login will be same as your local username but it will have passwordless sudo access so you won't login as root directly but sudo will give you root access privileges. – Transom 18/12, 2014 at 14:57

@MishaBrukman it's asking for the passphrase of $HOME/.ssh/google_compute_engine . What will be it? I did not create any passphrase for this. – Arlina 18/6, 2019 at 6:15

@AnuranBarman — if you created the key $HOME/.ssh/google_compute_engine without providing a password, then you can just press <kbd>Enter</kbd> when it asks for the password. You can also run ssh-add ~/.ssh/google_compute_engine and if you can add it successfully without providing a password, that should work with gcloud as well. If that doesn't work, you can just remove that key and create one manually with ssh-keygen and then you'll know the password for it as you'll have to specify it to create the key. – Transom 21/6, 2019 at 2:35

I specifically use AWS over GCP for this particular reason. – Cyrstalcyrus 29/9, 2022 at 19:25

To login to instance using ssh- [All steps performed on Linux Ubuntu 16.04]

Create a SSH Key ssh-keygen -t rsa -f ~/.ssh/gcloud_instance1 -C varunon9 here gcloud_instance1 is name of key file and varunon9 is username
Print the content of public key file cd ~/.ssh && cat gcloud_instance1.pub
Click on Edit VM instance details icon
Paste the content of public key file (output of cd ~/.ssh && cat gcloud_instance1.pub) in ssh-keys text-area
Click on Save
From terminal now you can login to your instance via ssh ssh -i gcloud_instance1 [email protected] where gcloud_instance1 is private key file (in .ssh directory) and varunon9 is username and 35.200.201.56 is external IP of your instance.

Aramaic answered 28/11, 2018 at 16:40 Comment(2)

What is the UserName in this context? ex. in the VM terminal someName@instanceName:~$ – Chalybeate 28/12, 2018 at 18:14

@Chalybeate - in Google Cloud Platform the username is the key comment (varunon9 in answer example) and it must match the username you are trying to login with. see this – Durware 11/7, 2019 at 12:55

Easiest way for creating and using one pair of ssh keys for multiple instances:

Step 1: Install putty and puttyGen from https://putty.org/

Step 2: Open a terminal in your local desktop / laptop (in Windows 10 and later you use Windows Linux Subsystem)

Type: ssh-keygen

Enter a name for the filename at the prompt: e.g. google_key

2 files will be created google_key and google_key.pub

Step 3: Copy the entire contents of the google_key.pub

Note there is no new line character. It should all be in one line.

Step 4: Before creating any VM instance, go to Compute Engine -> Metadata

Select "SSH keys" tab and click "Add SSH" keys

Paste the contents of the google_key.pub. If you pasted the contents properly, you should see the username appear on the left label. Then hit save.

Step 5: Now create your favorite VM instance under google compute.

Copy the External IP vm_instance_external_ip

Go back to your linux terminal and type

ssh -i google_key.pub username@vm_instance_external_ip

Type "yes"

And now you should be good to go.

If you need video instructions, see here

Michi answered 18/7, 2019 at 5:17 Comment(2)

Omg, got it fixed after two days. Thank-you man. The video link at the end was the most helpful part in my case. I guess the error was that I had repeatedly been creating the VM instance first, and then assigning the sshkey in the Metadata section. I still don't know. – Anna 20/7, 2019 at 13:16

when I click on save, it says Invalid key. Required format: <protocol> <key-blob> <[email protected]> or <protocol> <key-blob> google-ssh {"userName":"<[email protected]>","expireOn":"<date>"} - could you paste how the content of google_key.pub looks at you? – Flair 4/6, 2022 at 21:6

To populate SSH config files in your machine use:

gcloud compute config-ssh

Pestana answered 23/12, 2020 at 0:13 Comment(0)

For anyone that wants to add project-wide SSH keys to their Google Cloud Platform (GCP) project, $GCP_PROJECT_NAME:

Generate an Ed25519-based SSH key:

ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)"

#=>

Generating public/private ed25519 key pair.
Enter file in which to save the key (/. . ./.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_ed25519.
Your public key has been saved in id_ed25519.pub.
The key fingerprint is:
SHA256:. . . "$(whoami)@$(hostname)"
The key's randomart image is:
+--[ED25519 256]--+
|      . . .      |
+----[SHA256]-----+

Install the Google Cloud SDK (gcloud) from here

Make sure you're logged-in as the correct user:

gcloud config list --format="value(core.account)"

if not, log-in using:

gcloud auth login

Make sure you're connected to $GCP_PROJECT_NAME with:

gcloud config list --format="value(core.project)"

if not, switch to $GCP_PROJECT_NAME with:

gcloud config set project $GCP_PROJECT_NAME

Making use of the filter() and firstof() transforms available for gcloud allows your to avoid generating a temporary file and only use a single command to add that SSH key to $GCP_PROJECT_NAME:

gcloud compute project-info add-metadata \
--metadata ssh-keys="$(gcloud compute project-info describe \
--format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))")
$(whoami):$(cat ~/.ssh/id_ed25519.pub)"

#=>

Updated [https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME].

You should now see that Ed25519-based SSH key now in $GCP_PROJECT_NAME; check with:

gcloud compute project-info describe \
--format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))"

Using OpenSSH to just secure shell into a Compute virtual machine (VM) is as easy as:

Find the external IP ($GCP_VM_ADDRESS) for the VM you wish to secure shell into with:

gcloud compute instances list \
--format=table"[box=true](name:label=NAME, networkInterfaces[].accessConfigs[].natIP.flatten():label=EXTERNAL_IP)"

#=>

┌──────────────┬─────────────────┐
│     NAME     │  EXTERNAL_IP    │
├──────────────┼─────────────────┤
│     . . .    │      . . .      │
│ $GCP_VM_NAME │ $GCP_VM_ADDRESS │
│     . . .    │      . . .      │
└──────────────┴─────────────────┘

Note: if you haven't created a VM yet, be sure to follow the instructions here.

You should now be able to just:
```
ssh $(whoami)@$GCP_VM_ADDRESS
```

Jamilajamill answered 11/8, 2021 at 11:25 Comment(1)

This looks excellent, but I still get permission denied when I try it. I read somewhere that Google VMs don't like trying to login with root, but it doesn't seem to work for other users either. – Drouin 17/7, 2022 at 17:42

I found a useful button that helps avoiding the guessing game for the different gcloud parameters, such as versionId, serviceId, etc.

View gcloud command -->

Christcrossrow answered 28/8, 2019 at 11:0 Comment(1)

Thank you so much, I was going crazy trying this – Russon 17/1, 2020 at 13:0

Once you open the console, try to view gcloud command in the ssh tab. The gcloud client will open with the following command.

gcloud compute --project ssh --zone

And if its first time, it will create ssh key for you. You just need to download the file at this location ~/.ssh/google_compute_engine using the gcloud client download file option on top right. Once you have the key file, just issue

ssh -i username@external_IP

Doering answered 9/7, 2018 at 8:6 Comment(1)

Hi, I have a similar issue where I create a ssh key on one google compute and copy the publid key over to another google compute and then try to ssh from one node to another. However, I get as permission error. To fix this will I have to follow similar steps as mentioned above? – Cytolysis 8/8, 2019 at 20:27

Concept is simple, if you have SSH private key you can connect to Server answer given by above is @isma is easy one

create SSH keys: ssh-keygen in desktop-shell/GCP-sdk which generates Public/Private key
put Public keys in Gcloud Compute- SSH
now connect from desktop-shell/GCP-sdk using ssh -i google_key username@vm_instance_external_ip

Use putty download Private key mentioned by @Abubacker and open Putty

give Ip address
open Private key in SSH-Auth

Gesualdo answered 2/10, 2020 at 10:41 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags