Your security team must grant a freelance developer SSH access to a single Compute Engine VM for exactly 14 days. After that period the key must become invalid automatically, with no manual cleanup. Because multiple freelancers are onboarded every month, you also want to avoid editing project- or instance-level SSH key metadata each time. Which approach meets these requirements with the least operational effort?
Require the developer to connect through IAP TCP tunneling and manually remove the IAP TCP forwarding IAM role after 14 days.
Add the developer's public key to the VM's ssh-keys instance metadata with an expire-on timestamp set 14 days in the future.
Enable OS Login on the VM, grant the developer the Compute OS Login IAM role only on that VM, and have them upload their SSH public key with a 14-day TTL (for example, --ttl=1209600s) using gcloud compute os-login ssh-keys add.
Store the public key in Secret Manager and use a startup script on the VM to retrieve the key into ~/.ssh/authorized_keys; schedule a Cloud Scheduler job to disable the secret after 14 days.
Enabling OS Login offloads SSH authentication to IAM-managed user profiles, so you do not need to touch instance or project metadata for each new user. Grant the developer the roles/compute.osLogin role (or a higher role that includes it) on the target VM and instruct them to upload their public key with an explicit expiration:
gcloud compute os-login ssh-keys add \
--key-file=~/.ssh/id_rsa.pub \
--ttl=1209600s # 14 days in seconds
The key is stored in the developer's OS Login profile and automatically becomes unusable when the TTL elapses. Adding keys directly to instance metadata, managing keys via startup scripts and Secret Manager, or relying on manual removal of IAP roles either requires ongoing manual effort or adds unnecessary components, so they do not satisfy the automation and simplicity requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OS Login and how does it enable SSH authentication through IAM?
Open an interactive chat with Bash
What is TTL for SSH keys and how does it work in this context?
Open an interactive chat with Bash
What is the Compute OS Login IAM role and how is it applied to control access?
Open an interactive chat with Bash
What is OS Login in Google Cloud?
Open an interactive chat with Bash
What is the Compute OS Login IAM role?
Open an interactive chat with Bash
How does the gcloud compute os-login ssh-keys add command work?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .