Bird
Raised Fist0
GCPcloud~5 mins

SSH access and metadata in GCP - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes you need to connect securely to a virtual machine in the cloud. SSH access lets you do this by opening a safe door. Metadata helps manage who can use this door and how.
When you want to securely connect to a Google Cloud virtual machine to fix or check something.
When you need to add or remove users who can access your virtual machines via SSH.
When you want to automate SSH key management for multiple virtual machines.
When you want to check or update the SSH keys stored in the virtual machine's metadata.
When you want to control SSH access without logging into each virtual machine separately.
Commands
This command adds an SSH public key to the metadata of the virtual machine named example-vm. It allows the user to connect via SSH using this key.
Terminal
gcloud compute instances add-metadata example-vm --metadata ssh-keys="user:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7examplekey user@example.com" --zone us-central1-a
Expected OutputExpected
Updated [https://www.googleapis.com/compute/v1/projects/my-project/zones/us-central1-a/instances/example-vm].
--metadata - Specifies the metadata key and value to add or update.
--zone - Specifies the zone where the virtual machine is located.
This command connects you to the example-vm virtual machine using SSH. It uses the SSH keys stored in the metadata to authenticate.
Terminal
gcloud compute ssh user@example-vm --zone us-central1-a
Expected OutputExpected
WARNING: The SSH key for user is not found locally. Generating a new SSH key. Welcome to Debian GNU/Linux 11 (bullseye)! user@example-vm:~$
--zone - Specifies the zone where the virtual machine is located.
This command shows the metadata of the example-vm virtual machine, including SSH keys and other information.
Terminal
gcloud compute instances describe example-vm --zone us-central1-a --format='get(metadata.items)'
Expected OutputExpected
[{"key": "ssh-keys", "value": "user:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7examplekey user@example.com"}]
--format - Formats the output to show only the metadata items.
Key Concept

If you remember nothing else from this pattern, remember: SSH keys stored in instance metadata control who can securely access your virtual machines.

Common Mistakes
Adding SSH keys with incorrect formatting in metadata.
The SSH key must be in the correct format 'username:ssh-rsa KEY user@host' or it will not work.
Always use the format 'username:ssh-rsa KEY user@host' when adding SSH keys to metadata.
Trying to SSH without specifying the correct zone.
The gcloud command needs the zone to find the right virtual machine.
Always include the --zone flag with the correct zone when using gcloud compute ssh.
Not updating metadata after changing SSH keys.
Old keys remain valid until metadata is updated, causing access confusion.
Update the instance metadata every time you add or remove SSH keys.
Summary
Use gcloud compute instances add-metadata to add SSH keys to a VM's metadata.
Use gcloud compute ssh with the correct zone to connect securely to the VM.
Use gcloud compute instances describe to view the current metadata including SSH keys.

Practice

(1/5)
1. What is the main purpose of SSH access in Google Cloud Platform (GCP)?
easy
A. To securely connect to virtual machine instances
B. To store large files in the cloud
C. To monitor network traffic
D. To create new virtual machines automatically

Solution

  1. Step 1: Understand SSH access

    SSH (Secure Shell) is a protocol used to securely connect to remote machines, such as virtual machines in GCP.

  2. Step 2: Identify SSH use in GCP

    In GCP, SSH access allows users to securely log into VM instances to manage and operate them.

  3. Final Answer:

    To securely connect to virtual machine instances -> Option A

  4. Quick Check:

    SSH access = secure VM connection [OK]
Hint: SSH is for secure remote login to VMs [OK]
Common Mistakes:
  • Confusing SSH with storage or monitoring services
  • Thinking SSH creates VMs instead of connecting to them
2. Which of the following is the correct way to add an SSH key to a VM instance's metadata in GCP?
easy
A. Add the SSH key to the project billing settings
B. Add the SSH key to the instance's firewall rules
C. Add the SSH key to the VM's disk storage
D. Add the SSH key to the instance's metadata under the 'ssh-keys' key

Solution

  1. Step 1: Understand where SSH keys are stored

    SSH keys are stored in metadata, which is a place to keep configuration info for VMs.

  2. Step 2: Identify correct metadata key

    The correct metadata key for SSH keys is 'ssh-keys' at the instance or project level.

  3. Final Answer:

    Add the SSH key to the instance's metadata under the 'ssh-keys' key -> Option D

  4. Quick Check:

    SSH keys stored in 'ssh-keys' metadata [OK]
Hint: SSH keys go in 'ssh-keys' metadata key [OK]
Common Mistakes:
  • Adding SSH keys to firewall rules instead of metadata
  • Trying to store SSH keys in disk storage or billing settings
3. Given the following metadata setup for a VM instance in GCP:
{"ssh-keys": "user:ssh-rsa AAAAB3Nza... user@example.com"}

What will happen when you try to SSH into this VM as 'user'?
medium
A. SSH connection will succeed using the provided public key
B. SSH connection will be denied due to missing keys
C. SSH will prompt for a password instead of using keys
D. The VM will restart automatically

Solution

  1. Step 1: Analyze the metadata content

    The metadata contains a valid SSH public key for user 'user' under 'ssh-keys'.

  2. Step 2: Understand SSH key usage

    When connecting as 'user', the VM checks the 'ssh-keys' metadata and allows access if the matching private key is used.

  3. Final Answer:

    SSH connection will succeed using the provided public key -> Option A

  4. Quick Check:

    Valid SSH key in metadata = successful SSH login [OK]
Hint: Valid SSH key in metadata allows login [OK]
Common Mistakes:
  • Assuming password prompt appears despite key presence
  • Thinking VM restarts due to SSH metadata
4. You added an SSH key to your project-wide metadata but still cannot SSH into a VM instance. What is the most likely cause?
medium
A. The firewall allows SSH traffic
B. The VM instance is turned off
C. The instance has block-project-ssh-keys set to true, blocking project keys
D. The SSH key format is incorrect in the metadata

Solution

  1. Step 1: Understand project-wide SSH keys

    Project-wide SSH keys apply to all instances unless blocked by instance settings.

  2. Step 2: Check instance metadata blocking

    If the instance metadata has 'block-project-ssh-keys' set to true, it ignores project-wide keys.

  3. Final Answer:

    The instance has block-project-ssh-keys set to true, blocking project keys -> Option C

  4. Quick Check:

    block-project-ssh-keys=true blocks project keys [OK]
Hint: Check 'block-project-ssh-keys' flag on instance [OK]
Common Mistakes:
  • Assuming firewall allows SSH means keys work
  • Ignoring instance-level metadata blocking project keys
5. You want to ensure that only specific users can SSH into a VM instance in GCP, even though project-wide SSH keys exist. Which approach is best?
hard
A. Add all users' SSH keys to project metadata and leave instance metadata empty
B. Set 'block-project-ssh-keys' to true on the instance and add allowed users' keys to instance metadata
C. Remove all SSH keys from project metadata and rely on firewall rules
D. Disable SSH access entirely on the VM instance

Solution

  1. Step 1: Understand project-wide vs instance metadata

    Project-wide SSH keys apply to all instances unless blocked by instance settings.

  2. Step 2: Control access per instance

    Setting 'block-project-ssh-keys' to true on the instance disables project keys, allowing only instance metadata keys.

  3. Step 3: Add allowed users' keys to instance metadata

    By adding only allowed users' keys to instance metadata, you restrict SSH access to them.

  4. Final Answer:

    Set 'block-project-ssh-keys' to true on the instance and add allowed users' keys to instance metadata -> Option B

  5. Quick Check:

    Block project keys + instance keys = controlled SSH access [OK]
Hint: Block project keys, use instance keys for control [OK]
Common Mistakes:
  • Relying only on firewall rules for SSH user control
  • Removing project keys without adding instance keys
  • Disabling SSH entirely when access is needed