How to Add an SSH Key to Google Cloud using the CLI

Question

After generating an RSA-based SSH key:

ssh-keygen -t rsa -f ~/.ssh/id_rsa -C id_rsa

#=>

Generating public/private rsa key pair.
Created directory '/. . ./.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /. . ./.ssh/.id_rsa.
Your public key has been saved in /. . ./.ssh/.id_rsa.pub.
The key fingerprint is:
SHA256:. . . id_rsa
The key's randomart image is:
+---[RSA 3072]----+
|      . . .      |
+----[SHA256]-----+

I am able to add it to my Google Cloud Platform (GCP) project's ($GCP_PROJECT_NAME) Compute metadata:

gcloud compute project-info add-metadata \
--metadata-from-file ssh-keys=./.ssh/id_rsa.pub

#=>

WARNING: The following key(s) are missing the <username> at the front
ssh-rsa . . . id_rsa

Format ssh keys following https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
Updated [https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME].

with a warning, but unable to connect to a GCP Compute instance with it.

If I:

pbcopy < ~/.ssh/id_rsa.pub

and I paste it into the GCP Console, I am able to use it.

How would I accomplish the same thing with the GCP SDK (gcloud)?

Answer 1

The:

WARNING: The following key(s) are missing the at the front

warning is because the:

gcloud compute project-info add-metadata

command expects SSH keys to be presented as:

$USERNAME: $(cat ~/.ssh/id_rsa.pub)

instead of:

cat ~/.ssh/id_rsa.pub

If you want to add your RSA-based SSH key to your Google Cloud Project (GCP) project ($GCP_PROJECT_NAME):

1. Make sure you're logged-in as the correct user:

   gcloud config list --format="value(core.account)"
   

   if not, log-in using:

   gcloud auth login
   

2. Make sure you're connected to $GCP_PROJECT_NAME with:

   gcloud config list --format="value(core.project)"
   

   if not, switch to $GCP_PROJECT_NAME with:

   gcloud config set project $GCP_PROJECT_NAME
   

3. Make sure the public and private key files for your RSA-based key still exist:

   ls -1 ~/.ssh/id_rsa*
   
   #=>
   
   /. . ./id_rsa
   /. . ./id_rsa.pub
   

4. Use the following command to check all project-wide SSH keys for $GCP_PROJECT_NAME:

   gcloud compute project-info describe --format=json
   
   #=>
   
   {
     "commonInstanceMetadata": {
       . . .
       "items": [
         . . .
         {
           "key": "ssh-keys",
           "value": ". . ."
         },
         . . .
       ],
       . . .  
     }
     . . .
   }
   

   Making use of the filter() and firstof() transforms available for gcloud, we are able to grab just those project-wide SSH keys:

   gcloud compute project-info describe \
   --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))"
   

5. If we want to avoid generating a temporary file and only use a single command to add your RSA-based SSH key to $GCP_PROJECT_NAME:

   gcloud compute project-info add-metadata \
   --metadata ssh-keys="$(gcloud compute project-info describe \
   --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))")
   $(whoami):$(cat ~/.ssh/id_rsa.pub)"
   
   #=>
   
   Updated [https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME].
   

6. You should now see that RSA-based SSH key now in $GCP_PROJECT_NAME; check with:

   gcloud compute project-info describe \
   --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))"
   

Note: I would suggest using an Ed25519-based SSH key instead of an RSA-based SSH key:

ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)"

#=>

Generating public/private ed25519 key pair.
Enter file in which to save the key (/. . ./.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_ed25519.
Your public key has been saved in id_ed25519.pub.
The key fingerprint is:
SHA256:. . . "$(whoami)@$(hostname)"
The key's randomart image is:
+--[ED25519 256]--+
|      . . .      |
+----[SHA256]-----+

Answer 2

To add ssh keys to metatdata and expanding @guillaume to show a specific working example with all the fiddly bits included

1 get the existing instance metatdata

gcloud compute instances describe <instance name>

2 Copy the public SSH keys under the ssh-keys metadata value

3 create a file and include the keys from step 2

4`add the keys to the instance

gcloud compute instances add-metadata cos-test --metadata-from-file ssh-keys=<file from step 2>  

the file from step 2 should look like this

<user name>:ssh-rsa <long string of key data> <user name>  

on a linux distribution with open-ssh we would create the key with

ssh-keygen -t rsa -f ~/.ssh/<key name> -C <user name>  

confused as to why gcloud wants the username pre/appended, follows from gcloud will create a remote user and home directory based on the appended username with the key. You need to remember this when you login like

 ssh -v -i <path to your private key> <username>@<public ip>

Answer 3

You can add and remove SSH key with gcloud command. However, if you want to add a ssh key to the existing one, a script is needed.

As described in the documentation, if there is existing keys on your VM metadata, you have to recover them, add the new one and set the whole package as VM metadata.