Restrict SSH keys from VMs

Linux Windows

This document describes how to prevent users from accessing virtual machine (VM) instances by removing and blocking SSH keys from VMs.

Before you begin

Remove SSH keys

Remove SSH keys from VMs that use OS Login

VMs that use OS Login accept SSH keys that are associated with your Google account. You can remove a public SSH key from your user account using the Google Cloud CLI or the OS Login API. If you're an administrator for your organization, you can remove SSH keys from user accounts using the Directory API. Compute Engine automatically removes expired keys from your Google Account.

Remove SSH keys from VMs that use metadata-based keys

You can remove a public SSH key from project or instance metadata using the Google Cloud console, the gcloud CLI, or the Compute Engine API.

After you remove the last key from metadata for a particular user, or the last key in metadata for a particular user expires, Compute Engine deletes the user's ~/.ssh/authorized_keys file on the VM.

Remove a public key from project metadata

Remove a public SSH key from project metadata to remove access to all VMs in a project.

When you remove a key from metadata using the gcloud CLI and the Compute Engine API, you must retrieve the list of existing keys, edit the list of keys to remove the unwanted keys, and overwrite the old keys with the list of keys you want to keep, as explained in the following section.

Permissions required for this task

Console

To remove a public SSH key from project metadata using the Google Cloud console, do the following:

In the Google Cloud console, go to the Metadata page.

Go to Metadata
Click the SSH keys tab.
Click Edit at the top of the page.
Navigate to the SSH key that you want to remove and click the delete button next to the SSH key.

Repeat this step for each SSH key that you want to remove.
Click Save.

gcloud

To remove a public SSH key from project metadata using the gcloud CLI, do the following:

Run gcloud compute project-info describe command to get the metadata for the project:

gcloud compute project-info describe

The output is similar to the following:

...
metadata:
  ...
  - key: ssh-keys
    value: |-
      cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF
      baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}
...

Copy the ssh-keys metadata value.
Create and open a new text file on your workstation.
In the file, paste the list of SSH keys that you just copied, then delete any keys you want to remove from project metadata.
Save and close the file.
Run the gcloud compute project-info add-metadata command to set the project-wide ssh-keys value:
```
gcloud compute project-info add-metadata --metadata-from-file=ssh-keys=KEY_FILE
```
Replace KEY_FILE with one of the following:
- the path to the file you created in the previous step, if the project had existing SSH keys
- the path to your new public SSH key file, if the project didn't have existing SSH keys

REST

To remove a public SSH key from project metadata using the Compute Engine API, do the following:

Use the projects.get method to get the fingerprint and ssh-keys values from metadata.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID

Replace PROJECT_ID with your project ID.

The response is similar to the following:

...
"fingerprint": "utgYE_XWtE8=",
"items": [
 {
  "key": "ssh-keys",
  "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"
 }
]
...

Copy the list of SSH key values and delete the keys you want to remove.
Use the projects.setCommonInstanceMetadata to remove the SSH keys.
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/setCommonInstanceMetadata

{
"items": [
 {
  "key": "ssh-keys",
  "value": "EXISTING_SSH_KEYS"
 }
]
"fingerprint": "FINGERPRINT"
}
```
Replace the following:
- PROJECT_ID: your project ID
- EXISTING_SSH_KEYS: the list of the SSH keys you want to keep
- FINGERPRINT: the value of the fingerprint from the response of the projects.get request

Remove a public SSH key from instance metadata

Permissions required for this task

To perform this task, you must have the following permissions:

compute.instances.setMetadata

Console

To remove a public SSH key from instance metadata using the Google Cloud console, do the following:

In the Google Cloud console, go to the VM instances page.

Go to VM instances
Click the name of the VM that you want to remove a key for.
Click Edit.
In SSH Keys section, click Show and edit. The section expands to show all of the instance-level public SSH keys.
Click the delete button next to the SSH key that you want to remove.

Repeat this step for each SSH key that you want to remove.
Click Save.

gcloud

To remove a public SSH key from instance metadata using the gcloud CLI, do the following:

Run gcloud compute instances describe command to get the metadata for the VM:

gcloud compute instances describe VM_NAME

Replace VM_NAME with the name of the VM for which you need to add or remove public SSH keys.

The output is similar to the following:

...
metadata:
...
- key: ssh-keys
 value: |-
   cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF
   baklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}
...

Copy the ssh-keys metadata value.
Create and open a new text file on your local workstation.
In the file, paste the list of SSH keys that you just copied, then remove any keys you want to delete.
Save and close the file.
Run the gcloud compute project-info add-metadata command to set the project-wide ssh-keys value:
```
gcloud compute instances add-metadata VM_NAME --metadata-from-file ssh-keys=KEY_FILE
```
Replace the following:
- VM_NAME: the VM you want to remove the SSH key for
- KEY_FILE: the path to the file that contains the list of all project SSH keys

REST

To remove a public SSH key from instance metadata using the Compute Engine API, do the following:

Use the instances.get method to get the fingerprint and ssh-keys values from metadata.

GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME

Replace the following:

PROJECT_ID: your project ID
ZONE: the zone of the VM you're adding an SSH key for
VM_NAME: the VM you're adding an SSH key for

The response is similar to the following:

...
"fingerprint": "utgYE_XWtE8=",
"items": [
{
 "key": "ssh-keys",
 "value": "cloudysanfrancisco:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAu5kKQCPF\nbaklavainthebalkans:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQDx3FNVC8 google-ssh {"userName":"baklavainthebalkans","expireOn":"2021-06-14T16:59:03+0000"}"
}
]
...

Copy the list of SSH key values and delete the keys you want to remove.
Use the instances.setMetadata to remove the SSH keys.
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata

{
"items": [
 {
  "key": "ssh-keys",
  "value": "EXISTING_SSH_KEYS
 }
]
"fingerprint": "FINGERPRINT"
}
```
Replace the following:
- PROJECT_ID: your project ID
- EXISTING_SSH_KEYS: the value of the ssh-keys key from the response of the projects.get request
- FINGERPRINT: the value of the fingerprint from the response of the instances.get request

Block project SSH keys from VMs that use metadata-based SSH keys

You can prevent VMs from accepting SSH keys that are stored in project metadata by blocking project SSH keys from VMs. You can block project SSH keys from VMs when you create a VM or after you create a VM.

Block project SSH keys from a VM during VM creation

You can block project SSH keys from VMs during VM creation, using the Google Cloud console, gcloud CLI, or Compute Engine API.

Console

To create an instance and block it from accepting SSH keys stored in project metadata using the Google Cloud console, do the following:

In the Google Cloud console, go to the Create an instance page.

Go to Create an instance
To block project SSH keys, do the following:
1. In the navigation menu, click Security.
2. Expand the Manage access section.
3. To disable OS Login, clear the Control VM access through IAM permissions checkbox.
4. Select the Block project-wide SSH keys checkbox.
Optional: Specify other configuration options. For more information, see Configuration options during instance creation.
To create and start the instance, click Create.

gcloud

To create a VM and block it from accepting SSH keys stored in project metadata using the gcloud CLI, use the gcloud compute instances create command:

gcloud compute instances create VM_NAME \
    --metadata block-project-ssh-keys=TRUE

Replace VM_NAME with the name of the new VM.

REST

To create a VM and block it from accepting SSH keys stored in project metadata using the Compute Engine, construct a POST request to the instances.insert method:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances

Replace the following:

PROJECT_ID: the project ID
ZONE: the zone of the VM

In the body of the request, provide usernames and public SSH keys in the items property:

...
{
 "items": [
    {
     "key": "block-project-ssh-keys",
     "value": TRUE
    }
   ]
}
...

Block project SSH keys from a VM after VM creation

You can block project SSH keys from VMs after VM creation using the Google Cloud console, gcloud CLI, or Compute Engine API.

Permissions required for this task

To perform this task, you must have the following permissions:

compute.projects.setCommonInstanceMetadata

Console

To block VMs from accepting connections from SSH keys stored in project metadata using the Google Cloud console, do the following:

In the Google Cloud console, go to the VM instances page.

Go to VM instances
Click the name of the VM that you want to block project SSH keys for.
Click Edit.
Under SSH Keys, select the Block project-wide SSH keys checkbox.
When you have finished editing the connection setting for SSH keys, click Save.

gcloud

To block VMs from accepting connections from SSH keys stored in project metadata using the gcloud CLI, do the following:

Run the gcloud compute instances add-metadata command:

gcloud compute instances add-metadata VM_NAME --metadata block-project-ssh-keys=TRUE

Replace VM_NAME with the name of the VM for which you want to block project-wide public SSH keys.

REST

To block VMs from accepting connections from SSH keys stored in project metadata using the Compute Engine API, do the following:

Use the instances.get method to get the fingerprint from metadata.
```
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME
```
Replace the following:
- PROJECT_ID: your project ID
- ZONE: the zone of the VM you're adding an SSH key for
- VM_NAME: the VM you're adding an SSH key for
The response is similar to the following:
```
...
"fingerprint": "utgYE_XWtE8="
...
```
Use the instances.setMetadata method to set block-project-ssh-keys to TRUE:
```
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/setMetadata

{
"items": [
 {
  "key": "block-project-ssh-keys",
  "value": TRUE
 }
]
"fingerprint": "FINGERPRINT"
}
```
Replace the following:
- PROJECT_ID is your project ID
- ZONE is the zone where your instance is located
- INSTANCE_NAME is the instance where you want to block project-wide keys.
- FINGERPRINT: the value of the fingerprint from the response of the instances.get request.

What's next?

Learn about the benefits of using OS Login for access management.
Connect to VMs using Google tools, so you don't have to manage your own SSH keys.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-06-09 UTC.

Restrict SSH keys from VMs Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Console

gcloud

REST

Remove SSH keys

Remove SSH keys from VMs that use OS Login

gcloud

REST

Remove SSH keys from VMs that use metadata-based keys

Remove a public key from project metadata

Permissions required for this task

Console

gcloud

REST

Remove a public SSH key from instance metadata

Permissions required for this task

Console

gcloud

REST

Block project SSH keys from VMs that use metadata-based SSH keys

Block project SSH keys from a VM during VM creation

Console

gcloud

REST

Block project SSH keys from a VM after VM creation

Permissions required for this task

Console

gcloud

REST

What's next?