Ensure oslogin is enabled for a Project - google_compute_project_metadata

Description:

Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.

Rationale:

Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated SSH key pair management which is useful in handling cases like response to compromised SSH key pairs and/or revocation of external/third-party/Vendor users.

Enabling OS Login on project disables metadata-based SSH key configurations on all instances from a project. Disabling OS Login restores SSH keys that you have configured in project or instance meta-data.

From Google Cloud Console

1. Go to the VM compute metadata page by visiting: https://console.cloud.google.com/compute/metadata.

2. Click 'Edit'.

3. Add a metadata entry where the key is 'enable-oslogin' and the value is 'TRUE'.

4. Click 'Save' to apply the changes.

5. For every instance that overrides the project setting, go to the 'VM Instances' page at https://console.cloud.google.com/compute/instances.

6. Click the name of the instance on which you want to remove the metadata value.

7. At the top of the instance details page, click 'Edit' to edit the instance settings.

8. Under 'Custom metadata', remove any entry with key 'enable-oslogin' and the value is 'FALSE'

9. At the bottom of the instance details page, click 'Save' to apply your changes to the instance.

From Google Cloud CLI

1. Configure oslogin on the project:

gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE

2. Remove instance metadata that overrides the project setting.

gcloud compute instances remove-metadata --keys=enable-oslogin

Optionally, you can enable two factor authentication for OS login. For more information, see: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication.