Add SSH keys to VMs

Linux Windows

This document describes how to add SSH keys to virtual machine (VM) instancesthat useOS Login and VMs that usemetadata-based SSH keys. If you or your organization administratorhasn't enabled OS Login, your VMs use metadata-based SSH keys.Key Point: The procedures in this document are optional. If you connect to VMsusing the Google Cloud console or the Google Cloud CLI, Compute Engine creates andmanages SSH keys on your behalf.

Before you begin

For information about managing access to your Compute Engine VMs, see Choosing an access method.
If you haven't already,create an SSH key pair.
If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
1. Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
  gcloudinit
  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
  Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.
2. Set a default region and zone.
Terraform
To use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
For more information, see Set up authentication for a local development environment.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Add keys to VMs that use OS Login

VMs that use OS Login accept SSH keys that are associated with your GoogleAccount. You can associate a public SSH key with your Google Account using thegcloud CLI or using the OS Login API. If you're an administrator foryour organization, you can add SSH keys to user accounts using theDirectory API.

When you add SSH keys to your Google Account, Compute Engine generates ausername for you by combining the username and domain from the email associatedwith your Google Account. For example, if your email address iscloudysanfrancisco@gmail.com, your username iscloudysanfrancisco_gmail_com.If you add an SSH key in a project that is outside of your organization, yourusername is prefixed withext_, for example,ext_cloudysanfrancisco_gmail_com. Your organization administrator cancustomize your username using theDirectory API. Ifyou already have a username configured, Compute Engine uses thatusername when you add SSH keys.

Note: VMs that have been configured to require SSHcertificates reject connections fromunsigned SSH keys.

Permissions required for this task

To perform this task, you must have the followingpermissions:

All permissions in the Compute OS Login External User role, if you add an SSH key in a project outside of your organization.

gcloud

In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To add a public SSH key to your account, use thegcloud compute os-login ssh-keys add command:
```
gcloud compute os-login ssh-keys add \   --key-file=KEY_FILE_PATH \   --project=PROJECT \   --ttl=EXPIRE_TIME
```
Replace the following:
- KEY_FILE_PATH: the path to the public SSH keyon your workstation. The key must use thepublic-openssh format
- PROJECT: Optional: a project where you intend touse your SSH key. Specify this field to use your SSH key in a projectoutside of your organization, or you are not a member of aCloud Identity organization
- EXPIRE_TIME: Optional: the expiration time for theSSH key
  For example, if you specify30m the SSH key expires after 30 minutes.
  This flag uses the following units:
  - s for seconds
  - m for minutes
  - h for hours
  - d for days

Terraform

To add a public SSH key to your account, use thegoogle_client_openid_userinfo resource along with thegoogle_os_login_ssh_public_key resource.

data "google_client_openid_userinfo" "me" {}resource "google_os_login_ssh_public_key" "default" {  user = data.google_client_openid_userinfo.me.email  key  = file("id_rsa.pub") # path/to/ssl/id_rsa.pub}

REST

To add a public SSH key to your account, use the OS Login APIusers.importSshPublicKey method:

POST https://oslogin.googleapis.com/v1/users/ACCOUNT_EMAIL:importSshPublicKey{ "key": "SSH_KEY", "expirationTimeUsec": "EXPIRATION_TIMESTAMP"}

Replace the following:

ACCOUNT_EMAIL: the email address associated withyour account
SSH_KEY: the public key that you want to addto the account
EXPIRATION_TIMESTAMP: the expiration time forthe key, in microseconds since epoch (1 second = 10⁶microseconds)

Add SSH keys to VMs that use metadata-based SSH keys

Caution: If you manage SSH keys in metadata, you might disrupt the ability of your project members to connect to VMs. Additionally, you risk granting users, including users outside of your project, unintended access to VMs. Users and service accounts that have the ability to modify project metadata can add SSH keys for all VMs in the project except for VMs that block project-level SSH keys. For more information, see risks of manual key management.

VMs that don't use OS Loginstore SSH keys in Compute Engine project and instance metadata. IfOS Login is enabled for a VM, then the VM's guest agent ignores the keysstored in metadata.

You can use SSH keys stored in project metadata to access all VMs in a project.You can use SSH keys stored in instance metadata to access individual VMs.

Compute Engine doesn't automatically remove expired SSH keys frommetadata at expiration time, but expired keys can't be used to establish newconnections to VMs. If you want to remove expired keys from metadata, seeRemove SSH keys from VMs that use metadata-based keys.

You can add a public SSH key to project or VM instance metadatausing the Google Cloud console, the gcloud CLI, or REST.You can't set zonal metadata values for SSH keys.

Caution: Public SSH keys that you add directly to a VM's~/.ssh/authorized_keys files might be overwritten by the VM's guest agent.We recommend that you add keys using the supported Google Cloud console,gcloud CLI, or REST methods as described in the followingsections.

Add SSH keys to project metadata

You can add a public SSH key to project metadata to access all VMs in a project,except VMs that block project-wide SSH keys. For more information aboutblocking project-wide SSH keys, seeBlock SSH keys from VMs that use metadata-based SSH keys.

Permissions required for this task

To perform this task, you must have the followingpermissions:

compute.projects.setCommonInstanceMetadata on the project.
iam.serviceAccounts.actAs on the project. For more information about service account permissions, seeRoles for service account authentication.

Console

To add a public SSH key to project metadata using theGoogle Cloud console, do the following:

In the Google Cloud console, go to theMetadata page.
Go to Metadata
Click theSSH keys tab.
ClickEdit.
ClickAdd item.
In theSSH key field that opens, add your public SSH key. The keymust be in one of the following formats:
- Format for a key without an expiration time:
```
KEY_VALUEUSERNAME
```
- Format for a key with an expiration time:
```
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
Replace the following:
- KEY_VALUE: the public SSH key value
- USERNAME: your username. For example,cloudysanfrancisco orcloudysanfrancisco_gmail_com.
  For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnect to Linux VMs as the root user.
  For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
- EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000
ClickSave.

gcloud

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

If there are existing SSH keys in project metadata, you mustre-add them to project metadata every time you add a new SSH key using thegcloud CLI. If you don't re-add your existing keys,adding a new key erases the existing keys.
To add a public SSH key to project metadata using the gcloud CLI,do the following:
1. If your project already has project-wide public SSH keys, get them frommetadata and add them to a new file:
  1. Run thegcloud compute project-info describe commandto get the SSH keys for the project:
```
gcloud compute project-info describe \ --format="value(commonInstanceMetadata[items][ssh-keys])"
```
    The output is similar to the following:
```
username:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... username:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...
```
  2. Copy thessh-keys metadata value.
  3. Create and open a new text file on your workstation.
  4. In the file, paste the list of keys that you just copied.
  5. Add your new key at the end of the list, in one of the followingformats:
    - Format for a key without an expiration time:
      USERNAME:KEY_VALUE
    - Format for a key with an expiration time:
      USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
    Replace the following:
    - KEY_VALUE: the public SSH key value
    - USERNAME: your username. For example,cloudysanfrancisco, orcloudysanfrancisco_gmail_com.
      For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnecting to instances as the root user.
      For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
    - EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000
  6. Save and close the file.
2. Run thegcloud compute project-info add-metadatacommand to set the project-widessh-keys value:
```
gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=KEY_FILE
```
  ReplaceKEY_FILE with one of the following:
  - The path to the file you created in the previous step, if the projecthad existing SSH keys
  - The path to your new public SSH key file, if the project didn't haveexisting SSH keys

Terraform

To add a public SSH key to your project metadata, use thegoogle_compute_project_metadata resource.

resource "google_compute_project_metadata" "default" {  metadata = {    ssh-keys = <<EOF      dev:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT dev      test:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT test    EOF  }}

REST

If there are existing SSH keys in project metadata, you mustre-add them to project metadata every time you add a new SSH key using thethe Compute Engine API. If you don't re-add your existing keys,adding a new key erases the existing keys.

To add a public SSH key to project metadata using the Compute Engine API,do the following:

Get thefingerprint andssh-keys values from metadata by using theprojects.get method

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID

ReplacePROJECT_ID with your project ID.

The response is similar to the following:

..."fingerprint": "utgYE_XWtE8=","items": [{ "key": "ssh-keys", "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF...\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"}]...

Add the newssh-keys value by using theprojects.setCommonInstanceMetadatamethod.
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/setCommonInstanceMetadata{"items": [ {  "key": "ssh-keys",  "value": "EXISTING_SSH_KEYS\nNEW_SSH_KEY" }]"fingerprint": "FINGERPRINT"}
```
Replace the following:
- PROJECT_ID: your project ID
- EXISTING_SSH_KEYS: the value of thessh-keyskey from the response of theprojects.get request
- FINGERPRINT: the value of thefingerprintfrom the response of theprojects.get request
- NEW_SSH_KEY: the new SSH key, in one of thefollowing formats:
  - Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```
  - Format for a key with an expiration time:
```
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example,cloudysanfrancisco, orcloudysanfrancisco_gmail_com.
    For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnecting to instances as the root user.
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000

Add SSH keys to instance metadata

You can add a public SSH key to instance metadatawhen you create a VM orafter you create a VM.

Add SSH keys to instance metadata during VM creation

You can add SSH keys to instance metadata during VM creation, using theGoogle Cloud console, gcloud CLI, or Compute Engine API.

Console

To create an instance and add a public SSH key to instance metadata at thesame time using the Google Cloud console, do the following:

In the Google Cloud console, go to theCreate an instance page.
Go to Create an instance
To add a public SSH key to instance metadata, do the following:
1. In the navigation menu, clickSecurity.
2. Expand theManage access section.
3. To disable OS Login, clear theControl VM access through IAM permissions checkbox.
4. If you want to allow public SSH keys in project metadata to access the instance, clear theBlock project-wide SSH keys checkbox.
5. In theAdd manually generated SSH keys section, clickAdd item.
6. Add your public key in the text box. The key must be in one of the following formats:
  - Format for a key without an expiration time:
```
KEY_VALUEUSERNAME
```
  - Format for a key with an expiration time:
```
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example,cloudysanfrancisco orcloudysanfrancisco_gmail_com.
    For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnect to Linux VMs as the root user.
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000
Optional: Specify other configuration options. For more information, seeConfiguration options during instance creation.
To create and start the instance, clickCreate.

gcloud

In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
To create a VM and add a public SSH key to instance metadata at the same timeusing the gcloud CLI, use thegcloud compute instances create command:
```
gcloud compute instances createVM_NAME \   --metadata=ssh-keys=PUBLIC_KEY
```
Replace the following:
- VM_NAME: the name of the new VM
- PUBLIC_KEY: your public SSH key, in one of thefollowing formats:
  - Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```
  - Format for a key with an expiration time:
```
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example,cloudysanfrancisco, orcloudysanfrancisco_gmail_com.
    For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnecting to instances as the root user.
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000
You can add multiple SSH keys by using the--metadata-from-file=ssh-keys=FILE_PATH flag.In the file, add a list of usernames and public SSH keys in one of thepreceding formats.

Terraform

To add a public SSH key to your instance metadata, use thegoogle_compute_instance resource.

resource "google_compute_instance" "default" {  name         = "my-vm"  machine_type = "n1-standard-1"  zone         = "us-central1-a"  boot_disk {    initialize_params {      image = "ubuntu-1404-trusty-v20160627"    }  }  # Local SSD disk  scratch_disk {    interface = "SCSI"  }  network_interface {    network = "default"    access_config {}  }  metadata = {    "ssh-keys" = <<EOT      dev:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT dev      test:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILg6UtHDNyMNAh0GjaytsJdrUxjtLy3APXqZfNZhvCeT test     EOT  }}

REST

To create a VM and add a public SSH key to instance metadata at the sametime using the Compute Engine, construct aPOST request to theinstances.insert method:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances

Replace the following:

PROJECT_ID: the project ID
ZONE: the zone of the VM

In the body of the request, provide usernames and public SSH keys in theitems property:

...{ "items": [    {     "key": "ssh-keys",     "value": "PUBLIC_KEY"    }   ]}...

ReplacePUBLIC_KEY with your public key, in oneof the following formats:

Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```

Format for a key with an expiration time:

USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}

Replace the following:

KEY_VALUE: the public SSH key value
USERNAME: your username. For example,cloudysanfrancisco, orcloudysanfrancisco_gmail_com.
For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnecting to instances as the root user.
For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000

You can add multiple SSH keys by adding\n between keys.

Add SSH keys to instance metadata after VM creation

You can add SSH keys to instance metadata after VM creation, using theGoogle Cloud console, gcloud CLI, or Compute Engine API.

Permissions required for this task

To perform this task, you must have the followingpermissions:

compute.instances.setMetadata on the VM

Console

To add a public SSH key to instance metadata using theGoogle Cloud console, do the following:

In the Google Cloud console, go to theVM instances page.
Go to VM Instances
Click the name of the VM that you want to add an SSH key for.
ClickEdit.
UnderSSH Keys, clickAdd item.
Add your public key into the text box. The key must be in one of thefollowing formats:
- Format for a key without an expiration time:
```
KEY_VALUEUSERNAME
```
- Format for a key with an expiration time:
```
KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
Replace the following:
- KEY_VALUE: the public SSH key value
- USERNAME: your username. For example,cloudysanfrancisco orcloudysanfrancisco_gmail_com.
  For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnect to Linux VMs as the root user.
  For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
- EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000
ClickSave.

gcloud

In the Google Cloud console, activate Cloud Shell.
Activate Cloud Shell
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
If there are existing SSH keys in instance metadata, you must re-add them toinstance metadata every time you add a new SSH key using thegcloud CLI. If you don't re-add your existing keys, adding anew key erases the existing keys.
To add a public SSH key to instance metadata using thegcloud CLI, do the following:
1. If your VM already has instance-level public SSH keys, get them frommetadata and add them to a new file:
  1. Run thegcloud compute instances describe commandto get the metadata for the VM:
```
gcloud compute instances describeVM_NAME
```
    ReplaceVM_NAME with the name of the VM for which youneed to add or remove public SSH keys.
    The output is similar to the following:
```
...metadata:...- key: ssh-keys value: |-   cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF...   baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}...
```
  2. Copy thessh-keys metadata value.
  3. Create and open a new text file on your workstation.
  4. In the file, paste the list of keys that you just copied.
  5. Add your new key at the end of the list, in one of the followingformats:
  - Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```
  - Format for a key with an expiration time:
```
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example,cloudysanfrancisco, orcloudysanfrancisco_gmail_com.
    For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnecting to instances as the root user.
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000
  1. Save and close the file.
2. Run thegcloud compute instances add-metadata command to setthessh-keys value:
```
gcloud compute instances add-metadataVM_NAME --metadata-from-file ssh-keys=KEY_FILE
```
  Replace the following:
  - VM_NAME: the VM you want to add theSSH key for
  - KEY_FILE with one of the following:
  - The path to the file you created in the previous step, if the VM hadexisting SSH keys
  - The path to your new public SSH key file, if the VM didn't haveexisting SSH keys

REST

If there are existing SSH keys in instance metadata, you must re-add them toinstance metadata every time you add a new SSH key using theCompute Engine API. If you don't re-add your existing keys, adding anew key erases the existing keys.

To add a public SSH key to instance metadata using theCompute Engine API, do the following:

Get thefingerprint andssh-keys values from metadata by using theinstances.getmethod.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME

Replace the following:

PROJECT_ID: your project ID
ZONE: the zone of the VM to add an SSHkey
VM_NAME: the VM you're adding an SSH key for

The response is similar to the following:

..."fingerprint": "utgYE_XWtE8=","items": [{ "key": "ssh-keys",  "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF...\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8... google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"}]...

Add the newssh-keys value by using theinstances.setMetadatamethod.
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata{"items": [ {  "key": "ssh-keys",  "value": "EXISTING_SSH_KEYS\nNEW_SSH_KEY" }]"fingerprint": "FINGERPRINT"}
```
Replace the following:
- PROJECT_ID: your project ID
- EXISTING_SSH_KEYS: the value of thessh-keyskey from the response of theinstances.get request
- FINGERPRINT: thefingerprintfrom the response of theprojects.get request
- NEW_SSH_KEY: the new SSH key, in one of thefollowing formats:
  - Format for a key without an expiration time:
```
USERNAME:KEY_VALUE
```
  - Format for a key with an expiration time:
```
USERNAME:KEY_VALUE google-ssh {"userName":"USERNAME","expireOn":"EXPIRE_TIME"}
```
  Replace the following:
  - KEY_VALUE: the public SSH key value
  - USERNAME: your username. For example,cloudysanfrancisco, orcloudysanfrancisco_gmail_com.
    For Linux VMs, theUSERNAME can't beroot, unless you configure your VM to allow root login. For more information, seeConnecting to instances as the root user.
    For Windows VMs that use Active Directory (AD), the username must be prepended with the AD domain, in the format ofDOMAIN\. For example, the usercloudysanfrancisco within thead.example.com AD has aUSERNAME ofexample\cloudysanfrancisco.
  - EXPIRE_TIME: the time the key expires, inISO 8601 format. For example:2021-12-04T20:12:00+0000

What's next?

Learn how toconnect to VMs.
Learn how tomanage access to VMs.
Learn how totransfer files to VMs.
Learn howSSH connections to Linux VMswork on Compute Engine.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-02 UTC.

Movatterモバイル変換

Add SSH keys to VMs Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Console

gcloud

Terraform

REST

Add keys to VMs that use OS Login

Permissions required for this task

gcloud

Terraform

REST

Add SSH keys to VMs that use metadata-based SSH keys

Add SSH keys to project metadata

Permissions required for this task

Console

gcloud

Terraform

REST

Add SSH keys to instance metadata

Add SSH keys to instance metadata during VM creation

Console

gcloud

Terraform

REST

Add SSH keys to instance metadata after VM creation

Permissions required for this task

Console

gcloud

REST

What's next?

Add SSH keys to VMs