Restrict SSH keys from VMs
This document describes how to prevent users from accessing virtual machine (VM)instances by removing and blocking SSH keys from VMs.
Before you begin
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
Remove SSH keys
You can remove SSH keys fromVMs that use OS Login andVMs that use metadata-based SSH keys.Remove SSH keys from VMs that use OS Login
VMs that use OS Login accept SSH keys that are associated with your Googleaccount. You can remove a public SSH key from your user account using theGoogle Cloud CLI or the OS Login API. If you're an administrator for yourorganization, you can remove SSH keys from user accounts using theDirectory API.Compute Engine automatically removes expired keys from your Google Account.
gcloud
To remove a public SSH key from your account, do the following:
If you don't know which key you want to remove, run the
gcloud compute os-login describe-profilecommandto view all keys associated with your account:gcloud compute os-login describe-profile
Copy the
fingerprintvalue of the key you want to delete.Remove the key from your account using the
gcloud compute os-login ssh-keys removecommand:gcloud compute os-login ssh-keys remove --key=KEY
Replace
KEYwith the public SSH key you want toremove, or the OS Login fingerprint for the key you want to remove.
REST
To remove a public SSH key from your account, do the following:
If you don't know which key you want to remove, use the
users.getLoginProfilemethodto view all keys associated with your account:GET https://oslogin.googleapis.com/v1/users/ACCOUNT_EMAIL/loginProfile
Replace
ACCOUNT_EMAILwith the email addressassociated with your account.Copy the
fingerprintvalue of the key you want to delete.Remove the key from your account using the
users.sshPublicKeys.deletemethod:DELETE https://oslogin.googleapis.com/v1/users/ACCOUNT_EMAIL/sshPublicKeys/FINGERPRINT
Replace the following:
ACCOUNT_EMAIL: the email address associated withyour accountFINGERPRINT: the SHA-256 fingerprint of the key toremove
Remove SSH keys from VMs that use metadata-based keys
You can remove a public SSH key from project or instance metadata using theGoogle Cloud console, the gcloud CLI, or the Compute Engine API.
After you remove the last key from metadata for a particular user, or the lastkey in metadata for a particular user expires, Compute Engine deletes theuser's~/.ssh/authorized_keys file on the VM.
Remove a public key from project metadata
Remove a public SSH key from project metadata to remove access to all VMs in aproject.
When you remove a key from metadata using the gcloud CLI and theCompute Engine API, you must retrieve the list of existing keys, edit the listof keys to remove the unwanted keys, and overwrite the old keys with the list ofkeys you want to keep, as explained in the following section.
Permissions required for this task
To perform this task, you must have the followingpermissions:
compute.projects.setCommonInstanceMetadata
Console
To remove a public SSH key from project metadata using theGoogle Cloud console, do the following:
In the Google Cloud console, go to theMetadata page.
Click theSSH keys tab.
ClickEdit at the top ofthe page.
Navigate to the SSH key that you want to remove and click the delete button next to theSSH key.
Repeat this step for each SSH key that you want to remove.
ClickSave.
gcloud
To remove a public SSH key from project metadata using thegcloud CLI, do the following:
Run
gcloud compute project-info describecommand to get the metadata for the project:gcloud compute project-info describe
The output is similar to the following:
...metadata: ...
- key: ssh-keysvalue: |- cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}...Copy the
ssh-keysmetadata value.Create and open a new text file on your workstation.
In the file, paste the list of SSH keys that you just copied, then deleteany keys you want to remove from project metadata.
Save and close the file.
Run the
gcloud compute project-info add-metadatacommandto set the project-widessh-keysvalue:gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=KEY_FILE
Replace
KEY_FILEwith one of the following:- the path to the file you created in the previous step, if the projecthad existing SSH keys
- the path to your new public SSH key file, if the project didn't haveexisting SSH keys
REST
To remove a public SSH key from project metadata using theCompute Engine API, do the following:
Use the
projects.getmethod to get thefingerprintandssh-keysvalues from metadata.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID
Replace
PROJECT_IDwith your project ID.The response is similar to the following:
..."fingerprint": "utgYE_XWtE8=","items": [ { "key": "ssh-keys", "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}" }]...Copy the list of SSH key values and delete the keys you want to remove.
Use the
projects.setCommonInstanceMetadatato remove the SSH keys.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/setCommonInstanceMetadata{"items": [ { "key": "ssh-keys", "value": "EXISTING_SSH_KEYS" }]"fingerprint": "FINGERPRINT"}Replace the following:
PROJECT_ID: your project IDEXISTING_SSH_KEYS: the list of the SSH keysyou want to keepFINGERPRINT: the value of thefingerprintfrom the response of theprojects.getrequest
Remove a public SSH key from instance metadata
Remove a public SSH key from instance metadata to remove access to a single VM.
When you remove a key from metadata using the gcloud CLI and theCompute Engine API, you must retrieve the list of existing keys, editthe list of keys to remove the unwanted keys, and overwrite the old keys withthe list of keys you want to keep, as explained in the following section.
Permissions required for this task
To perform this task, you must have the followingpermissions:
compute.instances.setMetadata
Console
To remove a public SSH key from instance metadata using theGoogle Cloud console, do the following:
In the Google Cloud console, go to theVM instances page.
Click the name of the VM that you want to remove a key for.
ClickEdit.
InSSH Keys section, clickShow and edit. Thesection expands to show all of the instance-level public SSH keys.
Click the delete button next to theSSH key that you want to remove.
Repeat this step for each SSH key that you want to remove.
ClickSave.
gcloud
To remove a public SSH key from instance metadata using thegcloud CLI, do the following:
Run
gcloud compute instances describecommandto get the metadata for the VM:gcloud compute instances describeVM_NAME
ReplaceVM_NAME with the name of the VM for which you need toadd or remove public SSH keys.
The output is similar to the following:
...metadata:...
- key: ssh-keysvalue: |- cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}...Copy the
ssh-keysmetadata value.Create and open a new text file on your local workstation.
In the file, paste the list of SSH keys that you just copied, then removeany keys you want to delete.
Save and close the file.
Run the
gcloud compute project-info add-metadatacommandto set the project-widessh-keysvalue:gcloud compute instances add-metadataVM_NAME --metadata-from-file ssh-keys=KEY_FILE
Replace the following:
VM_NAME: the VM you want to remove theSSH key forKEY_FILE: the path to the file that containsthe list of all project SSH keys
REST
To remove a public SSH key from instance metadata using theCompute Engine API, do the following:
Use the
instances.getmethod to get thefingerprintandssh-keysvalues from metadata.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
Replace the following:
PROJECT_ID: your project IDZONE: the zone of the VM you're adding an SSHkey forVM_NAME: the VM you're adding an SSH key for
The response is similar to the following:
..."fingerprint": "utgYE_XWtE8=","items": [{ "key": "ssh-keys", "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"}]...Copy the list of SSH key values and delete the keys you want to remove.
Use the
instances.setMetadatato remove the SSH keys.POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata{"items": [ { "key": "ssh-keys", "value": "EXISTING_SSH_KEYS }]"fingerprint": "FINGERPRINT"}Replace the following:
PROJECT_ID: your project IDEXISTING_SSH_KEYS: the value of thessh-keyskey from the response of theprojects.getrequestFINGERPRINT: the value of thefingerprintfrom the response of theinstances.getrequest
Block project SSH keys from VMs that use metadata-based SSH keys
You can prevent VMs from accepting SSH keys that are stored in project metadataby blocking project SSH keys from VMs. You can block project SSH keys from VMswhen you create a VM orafter you create a VM.
Caution: Users with SSH keys in instance metadata can access VMs that blockproject SSH keys.Block project SSH keys from a VM during VM creation
You can block project SSH keys from VMs during VM creation, using theGoogle Cloud console, gcloud CLI, or Compute Engine API.
Caution: Users with SSH keys in instance metadata can access VMs that blockproject SSH keys.Console
To create an instance and block it from accepting SSH keys stored in projectmetadata using the Google Cloud console, do the following:
In the Google Cloud console, go to theCreate an instance page.
To block project SSH keys, do the following:
In the navigation menu, clickSecurity.
Expand theManage access section.
To disable OS Login, clear theControl VM access through IAM permissions checkbox.
Select theBlock project-wide SSH keys checkbox.
Optional: Specify other configuration options. For more information, seeConfiguration options during instance creation.
To create and start the instance, clickCreate.
gcloud
To create a VM and block it from accepting SSH keys stored in projectmetadata using the gcloud CLI, use thegcloud compute instances create command:
gcloud compute instances createVM_NAME \ --metadata block-project-ssh-keys=TRUE
ReplaceVM_NAME with the name of the new VM.
REST
To create a VM and block it from accepting SSH keys stored in projectmetadata using the Compute Engine, construct aPOST request to theinstances.insert method:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances
Replace the following:
PROJECT_ID: the project IDZONE: the zone of the VM
In the body of the request, provide usernames and public SSH keys in theitems property:
...{ "items": [ { "key": "block-project-ssh-keys", "value": TRUE } ]}...Block project SSH keys from a VM after VM creation
You can block project SSH keys from VMs after VM creation using theGoogle Cloud console, gcloud CLI, or Compute Engine API.
Caution: Users with SSH keys in instance metadata can access VMs that blockproject SSH keys.Permissions required for this task
To perform this task, you must have the followingpermissions:
compute.projects.setCommonInstanceMetadata
Console
To block VMs from accepting connections from SSH keys stored in projectmetadata using the Google Cloud console, do the following:
In the Google Cloud console, go to theVM instances page.
Click the name of the VM that you want to block project SSH keys for.
ClickEdit.
UnderSSH Keys, select theBlock project-wide SSH keys checkbox.
When you have finished editing the connection setting for SSH keys, clickSave.
gcloud
To block VMs from accepting connections from SSH keys stored in projectmetadata using the gcloud CLI, do the following:
Run thegcloud compute instances add-metadata command:
gcloud compute instances add-metadataVM_NAME --metadata block-project-ssh-keys=TRUE
ReplaceVM_NAME with the name of the VM for whichyou want to block project-wide public SSH keys.
REST
To block VMs from accepting connections from SSH keys stored in projectmetadata using the Compute Engine API, do the following:
Use the
instances.getmethod to get thefingerprintfrom metadata.GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
Replace the following:
PROJECT_ID: your project IDZONE: the zone of the VM you're adding an SSHkey forVM_NAME: the VM you're adding an SSH key for
The response is similar to the following:
..."fingerprint": "utgYE_XWtE8="...
Use the
instances.setMetadatamethodto setblock-project-ssh-keystoTRUE:POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata{"items": [ { "key": "block-project-ssh-keys", "value": TRUE }]"fingerprint": "FINGERPRINT"}Replace the following:
PROJECT_IDis your project IDZONEis the zone where your instance is locatedINSTANCE_NAMEis the instance where you want toblock project-wide keys.FINGERPRINT: the value of thefingerprintfrom the response of theinstances.getrequest.
What's next?
- Learn about the benefits of usingOS Login for access management.
- Connect to VMs using Google tools,so you don't have to manage your own SSH keys.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.