How to Add an SSH Key to Google Cloud using the CLI

Question

After generating an RSA-based SSH key:

ssh-keygen -t rsa -f ~/.ssh/id_rsa -C id_rsa

#=>

Generating public/private rsa key pair.
Created directory '/. . ./.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /. . ./.ssh/.id_rsa.
Your public key has been saved in /. . ./.ssh/.id_rsa.pub.
The key fingerprint is:
SHA256:. . . id_rsa
The key's randomart image is:
+---[RSA 3072]----+
|      . . .      |
+----[SHA256]-----+

I am able to add it to my Google Cloud Platform (GCP) project's ($GCP_PROJECT_NAME) Compute metadata:

gcloud compute project-info add-metadata \
--metadata-from-file ssh-keys=./.ssh/id_rsa.pub

#=>

WARNING: The following key(s) are missing the <username> at the front
ssh-rsa . . . id_rsa

Format ssh keys following https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys
Updated [https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME].

with a warning, but unable to connect to a GCP Compute instance with it.

If I:

pbcopy < ~/.ssh/id_rsa.pub

and I paste it into the GCP Console, I am able to use it.

How would I accomplish the same thing with the GCP SDK (gcloud)?

Answer 1

The:

WARNING: The following key(s) are missing the at the front

warning is because the:

gcloud compute project-info add-metadata

command expects SSH keys to be presented as:

$USERNAME: $(cat ~/.ssh/id_rsa.pub)

instead of:

cat ~/.ssh/id_rsa.pub

If you want to add your RSA-based SSH key to your Google Cloud Project (GCP) project ($GCP_PROJECT_NAME):

1. Make sure you're logged-in as the correct user:

   gcloud config list --format="value(core.account)"
   

   if not, log-in using:

   gcloud auth login
   

2. Make sure you're connected to $GCP_PROJECT_NAME with:

   gcloud config list --format="value(core.project)"
   

   if not, switch to $GCP_PROJECT_NAME with:

   gcloud config set project $GCP_PROJECT_NAME
   

3. Make sure the public and private key files for your RSA-based key still exist:

   ls -1 ~/.ssh/id_rsa*
   
   #=>
   
   /. . ./id_rsa
   /. . ./id_rsa.pub
   

4. Use the following command to check all project-wide SSH keys for $GCP_PROJECT_NAME:

   gcloud compute project-info describe --format=json
   
   #=>
   
   {
     "commonInstanceMetadata": {
       . . .
       "items": [
         . . .
         {
           "key": "ssh-keys",
           "value": ". . ."
         },
         . . .
       ],
       . . .  
     }
     . . .
   }
   

   Making use of the filter() and firstof() transforms available for gcloud, we are able to grab just those project-wide SSH keys:

   gcloud compute project-info describe \
   --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))"
   

5. If we want to avoid generating a temporary file and only use a single command to add your RSA-based SSH key to $GCP_PROJECT_NAME:

   gcloud compute project-info add-metadata \
   --metadata ssh-keys="$(gcloud compute project-info describe \
   --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))")
   $(whoami):$(cat ~/.ssh/id_rsa.pub)"
   
   #=>
   
   Updated [https://www.googleapis.com/compute/v1/projects/$GCP_PROJECT_NAME].
   

6. You should now see that RSA-based SSH key now in $GCP_PROJECT_NAME; check with:

   gcloud compute project-info describe \
   --format="value(commonInstanceMetadata.items.filter(key:ssh-keys).firstof(value))"
   

Note: I would suggest using an Ed25519-based SSH key instead of an RSA-based SSH key:

ssh-keygen -t ed25519 -C "$(whoami)@$(hostname)"

#=>

Generating public/private ed25519 key pair.
Enter file in which to save the key (/. . ./.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_ed25519.
Your public key has been saved in id_ed25519.pub.
The key fingerprint is:
SHA256:. . . "$(whoami)@$(hostname)"
The key's randomart image is:
+--[ED25519 256]--+
|      . . .      |
+----[SHA256]-----+

Answer 2

To add ssh keys to metatdata and expanding @guillaume to show a specific working example with all the fiddly bits included

1 get the existing instance metatdata

gcloud compute instances describe <instance name>

2 Copy the public SSH keys under the ssh-keys metadata value

3 create a file and include the keys from step 2

4`add the keys to the instance

gcloud compute instances add-metadata cos-test --metadata-from-file ssh-keys=<file from step 2>  

the file from step 2 should look like this

<user name>:ssh-rsa <long string of key data> <user name>  

on a linux distribution with open-ssh we would create the key with

ssh-keygen -t rsa -f ~/.ssh/<key name> -C <user name>  

confused as to why gcloud wants the username pre/appended, follows from gcloud will create a remote user and home directory based on the appended username with the key. You need to remember this when you login like

 ssh -v -i <path to your private key> <username>@<public ip>