gcloud compute scp

NAME
gcloud compute scp - copy files to and from Google Compute Engine virtual machines via scp
SYNOPSIS
gcloud compute scp[[USER@]INSTANCE:]SRC[[[USER@]INSTANCE:]SRC …][[USER@]INSTANCE:]DEST[--compress][--dry-run][--force-key-file-overwrite][--plain][--port=PORT][--recurse][--scp-flag=SCP_FLAG][--ssh-key-file=SSH_KEY_FILE][--strict-host-key-checking=STRICT_HOST_KEY_CHECKING][--zone=ZONE][--internal-ip    |--tunnel-through-iap][--network=NETWORK--region=REGION :--dest-group=DEST_GROUP][--ssh-key-expiration=SSH_KEY_EXPIRATION    |--ssh-key-expire-after=SSH_KEY_EXPIRE_AFTER][GCLOUD_WIDE_FLAG]
DESCRIPTION
gcloud compute scp securely copies files between a virtual machineinstance and your local machine using the scp command.

This command works for Linux VMs and Windows Server 2019 and later VMs that haveSSHenabled.

In order to set up a successful transfer, follow these guidelines:

  • Prefix remote file names with the virtual machine instance name (e.g.,example-instance:~/FILE).
  • Local file names can be used as is (e.g., ~/FILE).
  • File names containing a colon (``:´´) must be invoked by eithertheir absolute path or a path that begins with ``./´´.
  • When the destination of your transfer is local, all source files must be fromthe same virtual machine.
  • When the destination of your transfer is remote instead, all sources must belocal.
  • When the destination is Windows Server, the source must be using a similar SSHversion.

Under the covers,scp(1) is used to facilitate the transfer.

If the--region and--network flags are provided, then--plain and--tunnel-through-iap are implied and anyremote file names must be prefixed with the remote IP address instead of theinstance name. This is most useful for connecting to on-prem resources.

EXAMPLES
To copy a remote directory,~/narnia, fromexample-instance to the~/wardrobe directory of your local host, run:
gcloudcomputescp--recurseexample-instance:~/narnia~/wardrobe

Conversely, files from your local computer can be copied to a virtual machine:

gcloudcomputescp~/localtest.txt~/localtest2.txtexample-instance:~/narnia

Remote Windows-based virtual machines require you to provide a path usingbackslash notation:

gcloudcomputescp~/localtest.txt~/localtest2.txtexample-windows-instance:"C:\Users\Public"

Paths for remote Windows-based virtual machines which contain spaces indirectory name should be appropriately protected with a pair of nested singleand double quotes:

gcloudcomputescp~/localtest.txt'example-windows-instance:"C:\Users\Public\Test Folder"'

If the zone cannot be determined, you will be prompted for it. Use the--zone flag to avoid being prompted:

gcloudcomputescp--recurseexample-instance:~/narnia~/wardrobe--zone=us-central1-a

To specify the project, zone, and recurse all together, run:

gcloudcomputescp--project="my-gcp-project"--zone="us-east1-b"--recurse~/foo-folder/gcp-instance-name:~/

You can limit the allowed time to ssh. For example, to allow a key to be usedthrough 2019:

gcloudcomputescp--recurseexample-instance:~/narnia~/wardrobe--ssh-key-expiration="2020-01-01T00:00:00:00Z"

Or alternatively, allow access for the next two minutes:

gcloudcomputescp--recurseexample-instance:~/narnia~/wardrobe--ssh-key-expire-after=2m

To use the IP address of your remote VM (eg, for on-prem), you must also specifythe--region and--network flags:

gcloudcomputescp10.1.2.3:~/narnia~/wardrobe--region=us-central1--network=default
POSITIONAL ARGUMENTS
[[USER@]INSTANCE:]SRC [[[USER@]INSTANCE:]SRC …]
Specifies the files to copy.
[[USER@]INSTANCE:]DEST
Specifies a destination for the source files.
FLAGS
--compress
Enable compression.
--dry-run
Print the equivalent scp/ssh command that would be run to stdout, instead ofexecuting it.
--force-key-file-overwrite
If enabled, the gcloud command-line tool will regenerate and overwrite the filesassociated with a broken SSH key without asking for confirmation in bothinteractive and non-interactive environments.

If disabled, the files associated with a broken SSH key will not be regeneratedand will fail in both interactive and non-interactive environments.

--plain
Suppress the automatic addition ofssh(1)/scp(1)flags. This flag is useful if you want to take care of authentication yourselfor use specific ssh/scp features.
--port=PORT
The port to connect to.
--recurse
Upload directories recursively.
--scp-flag=SCP_FLAG
Extra flag to be sent to scp. This flag may be repeated.
--ssh-key-file=SSH_KEY_FILE
The path to the SSH key file. By default, this is~/.ssh/google_compute_engine.
--strict-host-key-checking=STRICT_HOST_KEY_CHECKING
Override the default behavior of StrictHostKeyChecking for the connection. Bydefault, StrictHostKeyChecking is set to 'no' the first time you connect to aninstance, and will be set to 'yes' for all subsequent connections.STRICT_HOST_KEY_CHECKING must be one of:yes,no,ask.
--zone=ZONE
The zone of the instance to copy files to/from.

If not specified and thecompute/zoneproperty isn't set, you might be prompted to select a zone (interactive modeonly).

To avoid prompting when this flag is omitted, you can set thecompute/zone property:

gcloudconfigsetcompute/zoneZONE

A list of zones can be fetched by running:

gcloudcomputezoneslist

To unset the property, run:

gcloudconfigunsetcompute/zone

Alternatively, the zone can be stored in the environment variableCLOUDSDK_COMPUTE_ZONE.

At most one of these can be specified:
--internal-ip
Connect to instances using their internal IP addresses rather than theirexternal IP addresses. Use this to connect from one instance to another on thesame VPC network, over a VPN connection, or between two peered VPC networks.

For this connection to work, you must configure your networks and firewall toallow SSH connections to the internal IP address of the instance to which youwant to connect.

To learn how to use this flag, seehttps://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances.

--tunnel-through-iap
Tunnel the ssh connection through Cloud Identity-Aware Proxy for TCP forwarding.

To learn more, see theIAP for TCPforwarding documentation.

--network=NETWORK
Configures the VPC network to use when connecting via IP address or FQDN.
--region=REGION
Configures the region to use when connecting via IP address or FQDN.
--dest-group=DEST_GROUP
Configures the destination group to use when connecting via IP address or FQDN.
At most one of these can be specified:
--ssh-key-expiration=SSH_KEY_EXPIRATION
The time when the ssh key will be valid until, such as"2017-08-29T18:52:51.142Z." This is only valid if the instance is not using OSLogin. See $gcloud topicdatetimes for information on time formats.
--ssh-key-expire-after=SSH_KEY_EXPIRE_AFTER
The maximum length of time an SSH key is valid for once created and installed,e.g. 2m for 2 minutes. See $gcloud topic datetimes forinformation on duration formats.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
These variants are also available:
gcloudalphacomputescp
gcloudbetacomputescp

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-07 UTC.