How to implement OS Login on Google Compute Engine
Hello everyone. If you’re looking for enhance your infrastructure on Google Cloud Platform, this is your article.
Today, we’ll see how to configure OS Login on Google Compute Engine.
What is OS Login?
OS Login is the best practise to authenticate Linux Virtual Machines. It’s used to manage SSH Keys without having to create and modifie individual SSH Keys. We already know that SSH keys are not the best way to authenticate users, and they are generally not handled according to best practices (rotation, encryption, etc.).
This service connects your Linux account to your Google Identity (in this case, we’ll use an IAM Service Account), and it will be your Google Identity account that will give the permissions to access the virtual machines.
Getting Started with OS Login
Let’s start by creating a new VM and setting up the OS Login from the beginning. If you want to see how to modify an existing VM, you must ignore this first section.
Creating VM with OS Login
First of all, we need to go to Compute Engine section, followed by Create an instance on VM instances.
In this tab, expand Advanced Options and go down to the Security section. You’ll see an option that says Manage Access, you need to click that and check the Control VM access through IAM permissions. This feature will set up your VM with OS Login enabled.
Finish configuring your VM as needed and click the create button. Remeber that this options its only available for Linux VM’s!
Moifying an existing VM to activate OS Login
If you already have a Linux Virtual Machine, you need to modifie the medata values to activate OS Login. Let’s do it.
You can define OS Login in a particular instance or you can enable in the entire project. You’ll find out which of these options works best for you.
If you want to set OS Login in a specific instance, go to the created VM page, click on Edit and go down to Metadata. You must apply the key enable-oslogin and set the value on true. Click Save to apply the changes.
If you want to set OS Login in the entire project, search Metadata on Google Cloud Console, click Edit and Add Item, write enable-oslogin and set the value on true. Click Save to apply the changes.
Creating Service Accounts to Authenticate VMs
To achieve the conecction with the VM, you have to grant the necessary permissions to an user or a service account. The necessary permissions are the following:
Compute OS Admin Login (compute.osAdminLogin) > if you want to grant admin permissons.
Compute OS Login (compute.osLogin) > if you doesn’t want to grant admin permissons.
Service Account User (iam.serviceAccountUser) > to follow the best practices of IAM Service Accounts.
You can grant these permissions to a specific user, or you can create a custom role and grant it to a service account.
If you followed the step by step, you already have OS Login enabled properly! You can test it deleting the existents SSH Keys (and they will carry with them the horrible practices that they have rooted into their lives) and trying to connect to the instance.
As a recommendation, when you configure the OS Login in a new VM, you can activate the 2-Step Verification, which add an extra layer of security by requesting another method of verification when you try to connect to an instance.
We have reached the end of the article. If you have any questions or recommendations, you can comment on this post or send me a message.
Subscribe to keep up-to-date with Google Cloud Platform best practices.
