Stay organized with collections Save and categorize content based on your preferences.
This document describes how to set up OS Login and OS Login with two-factor authentication (2FA).
OS Login enables you to control access to virtual machine (VM) instances based on IAM permissions. You can use OS Login with or without 2FA, but you can't use 2FA without using OS Login. To learn more about OS Login and OS Login 2FA, including which challenge types OS Login supports, see About OS Login.
Before you beginSelect the tab for how you plan to use the samples on this page:
ConsoleWhen you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloudInstall the Google Cloud CLI. After installation, initialize the Google Cloud CLI by running the following command:
gcloud init
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.To use the Terraform samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
Install the Google Cloud CLI.
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.
For more information, see Set up authentication for a local development environment.
OS Login is not supported on the following VMs:
Assign all of the required IAM roles to users who connect to VMs that have OS Login enabled.
Enable OS LoginYou can enable OS Login or OS Login with two-factor authentication for a single VM, or all VMs in a project, by setting OS Login metadata.
When you set OS Login metadata, Compute Engine deletes the VM's authorized_keys files and no longer accepts connections from SSH keys that are stored in project or instance metadata.
To enable OS Login for all VMs in a project, set the following values in project metadata:
enable-osloginTRUEenable-oslogin-2faTRUETo enable OS Login for a single VM, set the following values in instance metadata:
enable-osloginTRUEenable-oslogin-2faTRUEEnable OS Login (optionally, with 2-step verification) while creating a VM using the Google Cloud console or the gcloud CLI.
ConsoleCreate a VM that enable OS Login and (optionally) OS Login 2FA on startup by creating a VM from a public image and specifying the following configurations:
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Create a VM that enable OS Login and (optionally) OS Login 2FA on startup by running one of the following gcloud compute instance create commands:
To enable OS Login only, run the following command:
gcloud compute instances create VM_NAME \ --image-family=IMAGE_FAMILY \ --image-project=IMAGE_PROJECT \ --metadata enable-oslogin=TRUE
To enable OS Login 2FA, run the following command:
gcloud compute instances create VM_NAME \ --image-family=IMAGE_FAMILY \ --image-project=IMAGE_PROJECT \ --metadata enable-oslogin=TRUE,enable-oslogin-2fa=TRUE
Replace the following:
VM_NAME: the name of the new VM.IMAGE_FAMILY: the image family of a Linux OS. This creates the VM from the most recent non-deprecated OS image. For all public image families, see Operating system details.IMAGE_PROJECT: the image project that contains the image family. Each OS has its own image project. For all public image projects, see Operating system details.You can apply the metadata values to your projects or VMs by using one of the following options:
Option 1: Set enable-oslogin in project-wide metadata so that it applies to all of the VMs in your project.
Use the google_compute_project_metadata Terraform resource and set a metadata value where oslogin=TRUE:
Alternatively, you can set enable-oslogin to FALSE to disable OS Login.
Option 2: Set enable-oslogin in the metadata of a new or an existing VM.
Use the google_compute_instance Terraform resource and set oslogin=TRUE. Replace oslogin_instance_name with the name of your VM.
Alternatively, you can set enable-oslogin to FALSE to exclude your VM from using OS Login.
Connect to VMs that have OS Login enabled by using the methods described in Connect to Linux VMs.
When you connect to VMs that have OS Login enabled, Compute Engine uses the username that your organization administrator configured for you. If your organization administrator hasn't configured a username for you, Compute Engine generates a username in the format of USERNAME_DOMAIN_SUFFIX. For more information about usernames, see How OS Login works.
When you connect to VMs that have OS Login 2FA enabled, you also see a message based on your selected 2-step verification method or challenge type. For the phone prompt method, accept the prompts on your phone or tablet to continue. For other methods, enter your security code or one-time password.
Troubleshoot OS LoginTo find methods for diagnosing and resolving OS Login errors, see Troubleshooting OS Login.
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["OS Login lets you manage VM access using IAM permissions, and it can be used with or without two-factor authentication (2FA), although 2FA requires OS Login."],["To use OS Login or OS Login with 2FA, you can enable it for all VMs in a project or for individual VMs by setting the appropriate metadata keys (`enable-oslogin` and `enable-oslogin-2fa`)."],["OS Login is not supported on Windows Server, SQL Server VMs, or Fedora CoreOS VMs, and using OS Login will result in the deletion of a VM's `authorized_keys` files, preventing SSH key connections via project or instance metadata."],["When connecting to VMs with OS Login enabled, Compute Engine uses a configured username or generates one in the format of `USERNAME_DOMAIN_SUFFIX`, and OS Login 2FA enforces 2-step verification for access."],["To set up the correct authentication, use the console, gcloud, or terraform options depending on your needs, in addition to properly granting the required IAM roles to users that will connect to the VM."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4