Choose an access method
If you have Linux virtual machine (VM) instances running on Google Cloud, youmight need to share or restrict user or application access to your VMs.
If you need to manage user access to your Linux VM instances, you can use oneof the following methods:
If you need to manage application access to your VM instances, seeUse SSH with service accounts.
Managing user access
OS Login
In most scenarios, we recommend usingOS Login. The OSLogin feature lets you use Compute Engine IAM roles to manageSSH access to Linux instances. You can add an extra layer of security bysetting up OS Login with two-factor authentication,and manage access at the organization level bysetting up organization policies.
To learn how to enable OS Login, seeSet up OS Login.
Manage SSH keys in metadata
If you are running your own directory service for managing access, or areotherwise unable to set up OS Login, you can manually manage SSH keys inmetadata.
Note: If you connect to Linux VMs using the Google Cloud console or theGoogle Cloud CLI, Compute Engine creates SSH keys on your behalf. Formore information on how Compute Engine configures and stores keys, seeAbout SSH connections to Linux VMs.Risks of manual key management
Some of the risks of manual SSH key management include the following:
- All users who connect to VMs using SSH keys stored in metadata have
sudoaccess to VMs. - You must keep track of expired keys and delete keys for users who shouldn'thave access to your VMs. For example, if a team member leaves your project,you must manually remove their keys from metadata, so they can't continue toaccess your VMs.
- Specifying your gcloud CLI or API calls incorrectly can potentiallywipe out all of the public SSH keys in your project or on your VMs, whichdisrupts connections for your project members.
- Users and service accounts that have the ability to modify project metadatacan add SSH keys for all VMs in the project except for VMs thatblock project-level SSH keys.
If you aren't sure that you want to manage your own keys,use Compute Engine tools to connect to your instancesinstead.
What's next?
- Learn how toset up OS Login.
- Learn how tocreate SSH keys.
- Learn how toadd SSH keys to VMs.
- Learn how torestrict SSH keys from VMs.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-02 UTC.