Your company runs dozens of Linux virtual machines on Compute Engine across several projects. Security policy states that:
Each SSH key must be linked to an individual Google Cloud IAM identity.
VM administrators must never edit instance or project metadata manually to add or remove keys.
When an employee's IAM account is disabled, the employee must instantly lose SSH access to every VM.
Which approach satisfies all of these requirements with the least operational overhead?
Store each engineer's public key in project-wide metadata under the ssh-keys field and instruct administrators to remove keys when employees leave.
Enable OS Login on every project and grant each engineer the IAM role roles/compute.osLogin (or roles/compute.osAdminLogin). Engineers add their own public key to their OS Login profile and connect with gcloud compute ssh.
Create a dedicated service account that holds a single SSH key, grant it the compute.instanceAdmin IAM role, and share the key with all engineers.
Ask administrators to append each engineer's key directly to /home/username/.ssh/authorized_keys on every VM using a configuration-management script.
Enabling OS Login at the project (or organization) level tells Compute Engine to ignore SSH keys stored in instance or project metadata and instead look up a user's public key information that is attached to their Google Cloud IAM identity. Each user imports ​their own key once (for example with gcloud compute os-login ssh-keys add). When they run gcloud compute ssh, an ephemeral key valid for that user is propagated automatically, so VM administrators never have to touch metadata or authorized_keys files. Because login authorization is determined by IAM, disabling or removing the user's IAM account or the roles/compute.osLogin (or roles/compute.osAdminLogin) permission set immediately blocks the user from all VMs. The other choices either rely on metadata management, do not tie keys to IAM identities, or do not ensure immediate revocation across every VM.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OS Login in Google Cloud?
Open an interactive chat with Bash
How does gcloud compute ssh work with OS Login?
Open an interactive chat with Bash
What is the roles/compute.osLogin IAM role?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .