Set up OS Login
This document describes how to set up OS Login and OS Login with two-factorauthentication (2FA).
OS Login enables you to control access to virtual machine (VM) instances basedon IAM permissions. You can use OS Login with or without 2FA, butyou can't use 2FA without using OS Login. To learn more about OS Login and OSLogin 2FA, including which challenge types OS Login supports, seeAbout OS Login.
Before you begin
- If you want to use OS Login 2FA, enable 2FA on your domain or account:
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
Terraform
To use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
Install the Google Cloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.If you're using a local shell, then create local authentication credentials for your user account:
gcloudauthapplication-defaultlogin
You don't need to do this if you're using Cloud Shell.
If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.
For more information, see Set up authentication for a local development environment.
Limitations
OS Login is not supported on the following VMs:- Windows Server and SQL Server VMs
- Fedora CoreOS VMs. To manage instance access to VMs created using theseimages, use theFedora CoreOS ignition system
- OS Login 2FA isn't supported on VMs that useworkforce identity federation with OS Login.
Assign OS Login IAM roles
Assign all of the required IAM roles to users who connect to VMs that have OSLogin enabled.
| Role | Required users | Grant level |
|---|---|---|
roles/compute.osLogin orroles/compute.osAdminLogin | All users | If a user requires SSH access from Google Cloud console or Google Cloud CLI, you must grant these roles at the project level, or additionally grant a role at the project level that contains the |
roles/iam.serviceAccountUser | All users, if the VM has a service account | On theService account. |
roles/compute.osLoginExternalUser | Users from a different organization than the VM they're connecting to | On theOrganization. This role must be granted by an organization administrator. |
Enable OS Login
You can enable OS Login or OS Login with two-factor authentication for a singleVM, or all VMs in a project, by setting OS Login metadata.
When you set OS Login metadata, Compute Engine deletes the VM'sauthorized_keys files and no longer accepts connections from SSH keys that arestored in project or instance metadata.
Enable OS Login for all VMs in a project
To enable OS Login for all VMs in a project, set the following values inproject metadata:
- Enable OS Login:
- Key:
enable-oslogin - Value:
TRUE
- Key:
- (Optional) Enable two-factor authentication:
- Key:
enable-oslogin-2fa - Value:
TRUE
- Key:
Enable OS Login for a single VM
To enable OS Login for a single VM, set the following values ininstance metadata:
- Enable OS Login:
- Key:
enable-oslogin - Value:
TRUE
- Key:
- (Optional) Enable two-factor authentication:
- Key:
enable-oslogin-2fa - Value:
TRUE
- Key:
Enable OS Login during VM creation
Enable OS Login (optionally, with 2-step verification) while creating a VM usingthe Google Cloud console or the gcloud CLI.
Console
Create a VM that enable OS Login and (optionally) OS Login 2FA on startup bycreating a VM from a public imageand specifying the following configurations:
- Expand theAdvanced options section.
- Expand theSecurity section.
- Expand theManage access section.
- SelectControl VM access through IAM permissions.
- Optional: If you want to enable OS Login 2FA, selectRequire two-step verification.
- ClickCreate to create and start the VM.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Create a VM that enable OS Login and (optionally) OS Login 2FA on startupby running one of the following
gcloud compute instance createcommands:To enable OS Login only, run the following command:
gcloud compute instances createVM_NAME \ --image-family=IMAGE_FAMILY \ --image-project=IMAGE_PROJECT \ --metadata enable-oslogin=TRUE
To enable OS Login 2FA, run the following command:
gcloud compute instances createVM_NAME \ --image-family=IMAGE_FAMILY \ --image-project=IMAGE_PROJECT \ --metadata enable-oslogin=TRUE,enable-oslogin-2fa=TRUE
Replace the following:
VM_NAME: the name of the new VM.IMAGE_FAMILY: the image family of a Linux OS. Thiscreates the VM from the most recent non-deprecated OS image. For allpublic image families, seeOperating system details.IMAGE_PROJECT: the image project that contains theimage family. Each OS has its own image project. For all public imageprojects, seeOperating system details.
Terraform
You can apply the metadata values to your projects or VMs by using one ofthe following options:
Option 1: Set
enable-osloginin project-wide metadata so that itapplies to all of the VMs in your project.Use the
google_compute_project_metadataTerraform resource and set a metadata value whereoslogin=TRUE:resource "google_compute_project_metadata" "default" { metadata = { enable-oslogin = "TRUE" }}Alternatively, you can set
enable-oslogintoFALSEto disableOS Login.Option 2: Set
enable-osloginin the metadata of a new or an existingVM.Use the
google_compute_instanceTerraform resource and setoslogin=TRUE. Replaceoslogin_instance_namewith the name of your VM.resource "google_compute_instance" "oslogin_instance" { name = "oslogin-instance-name" machine_type = "f1-micro" zone = "us-central1-c" metadata = { enable-oslogin : "TRUE" } boot_disk { initialize_params { image = "debian-cloud/debian-11" } } network_interface { # A default network is created for all GCP projects network = "default" access_config { } }}Alternatively, you can set
enable-oslogintoFALSEto exclude yourVM from using OS Login.
Connect to VMs that have OS Login enabled
Connect to VMs that have OS Login enabled by using the methods described inConnect to Linux VMs.
When you connect to VMs that have OS Login enabled, Compute Engine uses theusername that your organization administrator configured for you.If your organization administrator hasn't configured a username for you,Compute Engine generates a username in the format ofUSERNAME_DOMAIN_SUFFIX.For more information about usernames, seeHow OS Login works.
When you connect to VMs that have OS Login 2FA enabled, you also see a messagebased on your selected 2-step verification method or challenge type. For thephone prompt method, accept the prompts on your phone or tablet to continue. Forother methods, enter your security code or one-time password.
Troubleshoot OS Login
To find methods for diagnosing and resolving OS Login errors, seeTroubleshooting OS Login.
What's next
- Learn howSSH connections to Linux VMs work onCompute Engine.
- Learn how to useSSH certificates (Preview) to connectto VMs.
- Learn how to useSSH with security keys (Preview)to further restrict access to VMs.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.