About SSH connections
Compute Engine uses key-based SSH authentication to establish connections toLinux virtual machine (VM) instances and additionally supportscertificate-based authentication for OS Login VMs.You can optionally enable SSH for Windows VMs. By default, passwords aren'tconfigured for local users on Linux VMs.
Before you can connect to a VM, several configurations must be performed. If youuse the Google Cloud console or the Google Cloud CLI to connect to your VMs,Compute Engine performs these configurations on your behalf.Compute Engine performs different configurations depending on which tool youuse to connect and whether youmanage access to VMs throughmetadata orOS Login. OS Login is available only forLinux VMs.
Note: When a user connects to a VM, that user can use all of the IAM permissions granted to the service account attached to the VM.Metadata-managed SSH connections
By default,Compute Engine uses custom project and/or instance metadata toconfigure SSH keys and to manage SSH access.All Windows VMs use metadata tomanage SSH keys, while Linux VMs can use metadata keys or OS Login. If you useOS Login, metadata SSH keys are disabled.Click each tab to learn more about the configurations Compute Engine performsbefore it grants SSH connections when you use the Google Cloud console, thegcloud CLI, or third-party tools to connect to VMs. If you connect toVMs without using the Google Cloud console or the gcloud CLI, you mustperform some configurations yourself.
Console
- You use theSSH button in the Google Cloud console toconnect to your VM.
- Compute Engine sets a username and creates an ephemeral SSH key pair with the following configuration:
- Your username is set as the username in your Google Account. For example, if the email address associated with your Google Account is
cloudysanfrancisco@gmail.com, then your username iscloudysanfrancisco.Note: You can override the default username by clicking the gear icon and selectingChange Linux Username when you connect to the VM. - Your public and private SSH keys are stored in your browser session.
- Your SSH key has an expiry of three minutes. Three minutes after Compute Engine creates the key, you can't use the SSH key to connect to the VM anymore.
- Your username is set as the username in your Google Account. For example, if the email address associated with your Google Account is
- Compute Engine authenticates your SSH key and grants your connection.
- Compute Engine uploads the public SSH key and username to metadata.
- Compute Engine retrieves the SSH key and username from metadata, creates a user account with the username, and on Linux VMs, stores the public key in your user's
~/.ssh/authorized_keysfile on the VM. On Windows VMs, Compute Engine doesn't store the public key on the VM. - Compute Engine grants your connection.
gcloud
- You use the
gcloud compute sshcommand toconnect to your VM. - Compute Engine sets a username and creates a persistent SSH key pair with the following configurations:
- Your username is set as the username in your local machine.
Note: You can override the default username by providing a different username when you connect to the VM. Use the formatUSERNAME@VM_NAME. - Your public SSH key is stored in project metadata. If Compute Engine can't store the SSH key in project metadata, for example, because
block-project-ssh-keysis set toTRUE, Compute Engine stores the SSH key in instance metadata. - Your private SSH key is stored on your local machine.
- Your SSH key doesn't have an expiry. It is used for all future SSH connections you make, unless you configure a new key.
- Your username is set as the username in your local machine.
- Compute Engine authenticates your SSH key and grants your connection.
- Compute Engine uploads the public SSH key and username to metadata.
- Compute Engine retrieves the SSH key and username from metadata, creates a user account with the username, and on Linux VMs, stores the public key in your user's
~/.ssh/authorized_keysfile on the VM. On Windows VMs, Compute Engine doesn't store the public key on the VM. - Compute Engine grants your connection.
Third-party tools
- You create an SSH key pair and username. SeeCreate SSH keys for details.
- You upload the public key and username to metadata.SeeAdd SSH keys to VMs that use metadata-based SSH keys for details.
- You connect to the VM.
- Compute Engine retrieves the SSH key and username from metadata, creates a user account with the username, and on Linux VMs, stores the public key in your user's
~/.ssh/authorized_keysfile on the VM. On Windows VMs, Compute Engine doesn't store the public key on the VM. - Compute Engine grants your connection.
OS Login-managed SSH connections
Note: OS Login is only available for Linux VMs.When you set OS Login metadata, Compute Engine deletes the VM'sauthorized_keys files and no longer accepts connections from SSH keys that arestored in project or instance metadata. OS Login supports connections from SSHkeys that are associated with your Google Account, and SSH certificates that aresigned by the OS Login certificate authority. You can optionally require OSLogin to only allow connections using SSH certificates, as described inRequireSSH certificates with OS Login.
SSH key connections
Click each tab to learn more about the configurations Compute Engineperforms before it grants SSH connections when you use SSH keys to connectto VMs. Compute Engine performs different configurations depending on ifyou use the Google Cloud console, the gcloud CLI, or third-partytools to connect to VMs. If you connect using third-party tools, you mustperform some configurations yourself.
Console
- You use theSSH button in the Google Cloud console toconnect to your VM.
- Compute Engine sets a username and creates an ephemeral SSH key pair with the following configuration:
- Your username is the username set by your organization's Cloud Identity or Google Workspace administrator. If your organization hasn't configured a username for you, or your project doesn't belong to an organization, Compute Engine uses your Google Account email, in the following format:
USERNAME_DOMAIN_SUFFIX
cloudysanfrancisco@gmail.com, then your generated username iscloudysanfrancisco_gmail_com. - Your public SSH key is stored in your browser session and in your Google Account.
- Your private SSH key is stored in your browser session.
- Your SSH key has an expiry of three minutes. Three minutes after Compute Engine creates the key, you can't use the SSH key to connect to the VM anymore.
- Your username is the username set by your organization's Cloud Identity or Google Workspace administrator. If your organization hasn't configured a username for you, or your project doesn't belong to an organization, Compute Engine uses your Google Account email, in the following format:
- Compute Engine authenticates your SSH key and grants your connection.
gcloud
- You use the
gcloud compute sshcommand toconnect to your VM. - Compute Engine sets a username and creates a persistent SSH key pair with the following configurations:
- Your username is the username set by your organization's Cloud Identity or Google Workspace administrator. If your organization hasn't configured a username for you, Compute Engine uses your Google Account email, in the following format:
USERNAME_DOMAIN_SUFFIX
cloudysanfrancisco@gmail.com, then your generated username iscloudysanfrancisco_gmail_com. - Your public SSH key is stored in your Google Account.
- Your private SSH key is stored on your local machine in the
google_compute_enginefile. - Your SSH key doesn't have an expiry. It is used for all future SSH connections you make, unless you configure a new key.
- Your username is the username set by your organization's Cloud Identity or Google Workspace administrator. If your organization hasn't configured a username for you, Compute Engine uses your Google Account email, in the following format:
- Compute Engine authenticates your SSH key and grants your connection.
Third-party tools
- You create an SSH key pair. SeeCreate SSH keys for details.
- You upload your public SSH key to your OS Login profile. See Add keys to VMs that use OS Login for details.
- Compute Engine stores your key in your Google Account.
- Compute Engine configures your username in the default format:
USERNAME_DOMAIN_SUFFIX
cloudysanfrancisco@gmail.com, then your generated username iscloudysanfrancisco_gmail_com. - You optionally set a username with theGoogle Workspace Admin SDK Directory API.
- You connect to the VM.
- Compute Engine authenticates your SSH key and grants yourconnection.
SSH certificate connections
Click each tab to learn more about the configurations Compute Engineperforms before it grants SSH connections when you use SSH certificatesto connect to VMs. Compute Engine performs different configurationsdepending on if you use the Google Cloud console, the gcloud CLI, orthird-party tools to connect to VMs. If you connect using third-party tools,you must perform some configurations yourself.
Console
- You use theSSH button in theGoogle Cloud console toconnectto your VM.
- Compute Engine sets a username and creates an ephemeral SSH key pair. Your username is the username set by your organization's Cloud Identity or Google Workspace administrator. If your organization hasn't configured a username for you, or your project doesn't belong to an organization, Compute Engine uses your Google Account email, in the following format:
USERNAME_DOMAIN_SUFFIX
cloudysanfrancisco@gmail.com, then your generated username iscloudysanfrancisco_gmail_com. - Compute Engine sends your public key to the OS Login certificate authority and performs IAM authorization to ensure you have the permissions to connect to the VM.
- The OS Login certificate authority provides a short-lived signed SSH certificate.
- Compute Engine authenticates your short-lived certificate and grants your connection.
gcloud
- You use the
gcloud beta compute sshcommand to connect to your VM. - Compute Engine sets a username and creates an ephemeral SSH key pair. Your username is the username set by your organization's Cloud Identity or Google Workspace administrator. If your organization hasn't configured a username for you, or your project doesn't belong to an organization, Compute Engine uses your Google Account email, in the following format:
USERNAME_DOMAIN_SUFFIX
cloudysanfrancisco@gmail.com, then your generated username iscloudysanfrancisco_gmail_com. - Compute Engine sends your public key to the OS Login certificate authority and performs IAM authorization to ensure you have the permissions to connect to the VM.
- The OS Login certificate authority provides a short-lived signed SSH certificate.
- Compute Engine authenticates your short-lived certificate and grants your connection.
Third-party tools
- You create an SSH key pair. SeeCreate SSH keys for details.
- If you haven't previously connected to a VM that uses OS Login, youprovisiona POSIX account.
- Compute Engine configures your username in the default format:
USERNAME_DOMAIN_SUFFIX
cloudysanfrancisco@gmail.com, then your generated usernameiscloudysanfrancisco_gmail_com. - Your administrator can optionallyset a username with the Google Workspace Admin SDK Directory API.If your organization usesworkforce identity federation you must contact your administrator tochange your username instead.
- Yousend your public key to the OS Login certificate authority.
- The OS Login certificate authority provides a short-lived signed SSH certificate.
- You use the certificate to connect to the VM.
- Compute Engine authenticates your short-lived certificate and grants your connection.
What's next?
- Learn more about the benefits of usingOS Login.
- Set up OS Loginto manage access to your VMs.
- Learn how toRequire SSHcertificates with OS Login.
- Learn how toManage SSH keys in metadata,if you don't want to use OS Login.
- Learn how toConnect to VMs.
- To find methods and tools for diagnosing and resolving failed SSH connections,seeTroubleshooting SSH.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-09 UTC.