Ora

How to add ssh key to gcp VM?

Published in GCP VM Access 5 mins read

Adding an SSH (Secure Shell) key to your Google Cloud Platform (GCP) Virtual Machine (VM) is a fundamental security practice, allowing you to connect to your instances securely without relying on passwords. This method provides robust authentication and is highly recommended for all your server interactions.

What is an SSH Key Pair?

An SSH key pair consists of two parts:

  • Public Key: This key is placed on your GCP VM instance. It can be shared and does not grant access on its own.
  • Private Key: This key remains on your local machine and must be kept absolutely secret. When you attempt to connect, your client uses this key to prove your identity to the VM.

How to Add SSH Key to GCP VM

There are two primary methods to add SSH keys to your GCP VMs: instance-specific keys (for individual VMs) and project-wide keys (for all VMs within a project). Before you add a key, you'll need to generate an SSH key pair.

1. Generating an SSH Key Pair

If you don't already have an SSH key pair, you'll need to generate one on your local machine.

Step-by-Step Key Generation

  1. Open a Terminal or PowerShell: On Linux/macOS, use the terminal. On Windows, use Git Bash, WSL, or PowerShell.
  2. Run the ssh-keygen command:
    ssh-keygen -t rsa -b 4096 -C "[email protected]"
    • -t rsa: Specifies the RSA algorithm.
    • -b 4096: Sets the key size to 4096 bits for enhanced security (recommended).
    • -C "[email protected]": Adds a comment to your public key, which helps identify it. Replace with your actual username or email.
  3. Choose a file to save the key: By default, it saves to ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key). You can press Enter to accept the default or specify a new path.
  4. Enter a passphrase (recommended): You will be prompted to enter a passphrase. This encrypts your private key, adding an extra layer of security. Always use a strong passphrase.
  5. Verify key creation: After generation, you should find two files in your ~/.ssh directory (or wherever you specified):
    • id_rsa (your private key)
    • id_rsa.pub (your public key)

Note: For a comprehensive guide on generating SSH keys across different operating systems, refer to the Google Cloud documentation on SSH keys.

2. Adding Instance-Specific SSH Keys (via Google Cloud Console)

This method allows you to add an SSH key to a single VM instance, providing granular control.

Process for Adding Instance-Specific Keys

  1. Go to the VM instances page: In the Google Cloud console, navigate to Compute Engine > VM instances.
  2. Select your VM: Click the name of the VM that you want to add an SSH key for.
  3. Edit VM Details: On the VM instance details page, click the Edit button at the top.
  4. Locate SSH Keys section: Scroll down to the SSH Keys section.
  5. Add your public key:
    • Click Add item.
    • Paste the entire content of your public key file (id_rsa.pub) into the provided text box. The format should be similar to:
      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD... [email protected]

      Make sure to include the ssh-rsa prefix and the comment at the end.

  6. Save Changes: Click the Save button at the bottom of the page to apply the changes.

After saving, GCP will automatically add your public key to the VM's metadata, making it accessible for authentication.

3. Adding Project-Wide SSH Keys (via Google Cloud Console)

Project-wide SSH keys apply to all VM instances within a specific GCP project, making them ideal for managing access to multiple VMs simultaneously.

Process for Adding Project-Wide Keys

  1. Go to Project Metadata: In the Google Cloud console, navigate to Compute Engine > Metadata.
  2. Select SSH Keys Tab: Click on the SSH Keys tab.
  3. Add SSH key: Click Add SSH key.
  4. Paste your public key: Paste the entire content of your public key file (id_rsa.pub) into the text box. The format is the same as for instance-specific keys.
  5. Save: Click Save to apply the project-wide key.

Any new or existing VM instance in the project (unless explicitly blocked by instance-specific metadata) will now recognize this key for authentication.

Important Considerations and Best Practices

  • Permissions for Private Key: Ensure your private key file (id_rsa) on your local machine has restrictive permissions (e.g., chmod 400 ~/.ssh/id_rsa on Linux/macOS) to prevent unauthorized access.
  • Passphrases are Crucial: Always protect your private key with a strong passphrase. This prevents anyone who gains access to your local machine from immediately using your SSH key.
  • Connecting to Your VM: Once the public key is added, you can connect to your VM using the SSH command:
    ssh -i ~/.ssh/path/to/your_private_key your_username@external_ip_address

    Replace ~/.ssh/path/to/your_private_key with the actual path to your private key file (e.g., ~/.ssh/id_rsa).
    The your_username part is typically the username associated with your SSH key comment, or your GCP username.

  • Usernames: When adding SSH keys, GCP often associates the key with a username derived from the key's comment. If no comment is provided, it might default to the user or a generated username. Be mindful of which username to use when connecting.
  • Key Rotation: For enhanced security, consider rotating your SSH keys periodically.
  • Avoid Root Access: Do not use root as the username for your SSH key unless absolutely necessary. Create a less privileged user and use sudo for administrative tasks.
  • Metadata Caching: It might take a few moments for the metadata changes (including new SSH keys) to propagate to the VM instance. If you encounter issues immediately after adding a key, wait a minute or two and try again.

By following these steps, you can securely manage access to your GCP VM instances using SSH keys.

← Previous Article
How to install control system toolbox in MATLAB?
Next Article →
What Is a 3D Illusion?