Reputation: 169
How to Add an SSH Key to Google Cloud using the CLI
After generating an RSA-based SSH key:
ssh-keygen -t rsa -f ~/.ssh/id_rsa -C id_rsa
#=>
Generating public/private rsa key pair.
Created directory '/. . ./.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /. . ./.ssh/.id_rsa.
Your public key has been saved in /. . ./.ssh/.id_rsa.pub.
The key fingerprint is:
SHA256:. . . id_rsa
The key's randomart image is:
+---[RSA 3072]----+
| . . . |
+----[SHA256]-----+
I am able to add it to my Google Cloud Platform (GCP) project's ($GCP_PROJECT_NAME) Compute metadata:
gcloud compute project-info add-metadata \
--metadata-from-file ssh-keys=./.ssh/id_rsa.pub
#=>
WARNING: The following key(s) are missing the <username> at the front
ssh-rsa . . . id_rsa
Format ssh keys following https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
Updated [https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME].
with a warning, but unable to connect to a GCP Compute instance with it.
If I:
pbcopy < ~/.ssh/id_rsa.pub
and I paste it into the GCP Console, I am able to use it.
How would I accomplish the same thing with the GCP SDK (gcloud)?
Upvotes: 4
Views: 11141
Answers (3)
Reputation: 1310
The:
WARNING: The following key(s) are missing the at the front
warning is because the:
gcloud compute project-info add-metadata
command expects SSH keys to be presented as:
$USERNAME: $(cat ~/.ssh/id_rsa.pub)
instead of:
cat ~/.ssh/id_rsa.pub
If you want to add your RSA-based SSH key to your Google Cloud Project (GCP) project ($GCP_PROJECT_NAME):
Make sure you're logged-in as the correct user:
gcloud config list --format="value(core.account)"if not, log-in using:
gcloud auth loginMake sure you're connected to
$GCP_PROJECT_NAMEwith:gcloud config list --format="value(core.project)"if not, switch to
$GCP_PROJECT_NAMEwith:gcloud config set project $GCP_PROJECT_NAMEMake sure the public and private key files for your RSA-based key still exist:
ls -1 ~/.ssh/id_rsa* #=> /. . ./id_rsa /. . ./id_rsa.pubUse the following command to check all project-wide SSH keys for
$GCP_PROJECT_NAME:gcloud compute project-info describe --format=json #=> { "commonInstanceMetadata": { . . . "items": [ . . . { "key": "ssh-keys", "value": ". . ." }, . . . ], . . . } . . . }Making use of the
filter()andfirstof()transforms available forgcloud, we are able to grab just those project-wide SSH keys:gcloud compute project-info describe \ --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))"If we want to avoid generating a temporary file and only use a single command to add your RSA-based SSH key to
$GCP_PROJECT_NAME:gcloud compute project-info add-metadata \ --metadata ssh-keys="$(gcloud compute project-info describe \ --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))") $(whoami):$(cat ~/.ssh/id_rsa.pub)" #=> Updated [https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME].You should now see that RSA-based SSH key now in
$GCP_PROJECT_NAME; check with:gcloud compute project-info describe \ --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))"
Note: I would suggest using an Ed25519-based SSH key instead of an RSA-based SSH key:
ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)"
#=>
Generating public/private ed25519 key pair.
Enter file in which to save the key (/. . ./.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_ed25519.
Your public key has been saved in id_ed25519.pub.
The key fingerprint is:
SHA256:. . . "$(whoami)@$(hostname)"
The key's randomart image is:
+--[ED25519 256]--+
| . . . |
+----[SHA256]-----+
Upvotes: 5
Reputation:
To add ssh keys to metatdata and expanding @guillaume to show a specific working example with all the fiddly bits included
1 get the existing instance metatdata
gcloud compute instances describe <instance name>
2 Copy the public SSH keys under the ssh-keys metadata value
3 create a file and include the keys from step 2
4`add the keys to the instance
gcloud compute instances add-metadata cos-test --metadata-from-file ssh-keys=<file from step 2>
the file from step 2 should look like this
<user name>:ssh-rsa <long string of key data> <user name>
on a linux distribution with open-ssh we would create the key with
ssh-keygen -t rsa -f ~/.ssh/<key name> -C <user name>
confused as to why gcloud wants the username pre/appended, follows from gcloud will create a remote user and home directory based on the appended username with the key. You need to remember this when you login like
ssh -v -i <path to your private key> <username>@<public ip>
Upvotes: 2
Reputation: 76010
You can add and remove SSH key with gcloud command. However, if you want to add a ssh key to the existing one, a script is needed.
As described in the documentation, if there is existing keys on your VM metadata, you have to recover them, add the new one and set the whole package as VM metadata.
Upvotes: -1
Related Questions
- How to add an ssh key to an GCP instance using terraform?
- How to access SSH keys for a Google Cloud Platform Compute Engine VM instance?
- Google Cloud Compute instance SSH key from metadata not added
- How to add ssh key to project in GCP
- How do I set up ssh keys in Google Compute Engine?
- Adding ssh-keys to gcp metadata
- How do I SSH into gcloud compute instance as ubuntu user?
- Google Cloud SSH Keys
- Unable to SSH to Google Cloud
- Creating sshKeys for gce instance using libcloud