Your security team wants to replace instance-level SSH keys with an IAM-based mechanism on all new Compute Engine VMs. Linux administrators must still be able to run sudo after logging in. You need to implement this with the fewest possible steps before the next VM is created. What should you do?
Create a startup script that writes each administrator's public key to /home/$/.ssh/authorized_keys on every VM.
Enable IAP for TCP forwarding on the project and grant the administrators group roles/iap.tunnelResourceAccessor.
Add the metadata key enable-oslogin=TRUE at the project level and grant the administrators group the IAM role roles/compute.osAdminLogin.
Add the metadata key block-project-ssh-keys=TRUE at the project level and grant the administrators group roles/compute.instanceAdmin.v1.
OS Login shifts SSH authentication from metadata-based keys to Cloud IAM. Setting the project-wide metadata key enable-oslogin=TRUE turns the feature on for every VM created in the project so no per-instance change is required. Granting the administrators group the IAM role roles/compute.osAdminLogin lets them establish an SSH session and use sudo because the role contains both login and administrator privileges inside the guest OS.
block-project-ssh-keys merely blocks inherited keys but still depends on metadata and does not provide IAM-based login. The instanceAdmin role manages VM resources but does not grant in-guest access. IAP governs network transport, not Linux authorization. A startup script that writes authorized_keys re-creates the problem of distributing and rotating SSH keys manually.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OS Login in Google Cloud?
Open an interactive chat with Bash
What does the metadata key enable-oslogin=TRUE do?
Open an interactive chat with Bash
What is roles/compute.osAdminLogin and how does it work?
Open an interactive chat with Bash
What is OS Login and how does it work in GCP?
Open an interactive chat with Bash
What is the role roles/compute.osAdminLogin used for?
Open an interactive chat with Bash
Why is enable-oslogin=TRUE better than using block-project-ssh-keys=TRUE?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .