Re-using existing ssh keys on Google Cloud

Posted on
google-cloud gcloud ssh key

I like to re-use existing ssh keys on AWS and Google Cloud. However the Google Cloud cli tool generates a new ssh keypair when attempting to ssh into an instance for the first time using gcloud compute ssh.

You can force gcloud to re-use an existing key pair in two different ways.

Configuring gcloud to add your own keys and using vanilla ssh

If you prefer to use vanilla ssh over the gloud ssh wrapper you can configure gcloud to add your public key to the instances.

$ gcloud compute config-ssh --ssh-key-file ~/.ssh/id_rsa
You should now be able to use ssh/scp with your instances.
For example, try running:

  $ ssh streisand.asia-southeast1-a.streisand-vpn-197221

It will populate your ~/.ssh/config file so that entries exist for all Google Cloud instances. The drawback is that you have to re-run the gcloud config-ssh command whenever you add or delete new instances so that your config file is kept up to date.

# Google Compute Engine Section
#
# The following has been auto-generated by "gcloud compute config-ssh"
# to make accessing your Google Compute Engine virtual machines easier.
#
# To remove this blob, run:
#
#   gcloud compute config-ssh --remove
#
# You can also manually remove this blob by deleting everything from
# here until the comment that contains the string "End of Google Compute
# Engine Section".
#
# You should not hand-edit this section, unless you are deleting it.
#
Host streisand.asia-southeast1-a.streisand-vpn-xxxxxx
    HostName x.x.x
    IdentityFile /home/dani/.ssh/id_rsa
    UserKnownHostsFile=/home/dani/.ssh/google_compute_known_hosts
    HostKeyAlias=compute.x
    IdentitiesOnly=yes
    CheckHostIP=no

# End of Google Compute Engine Section

We can now use vanilla ssh instead of gcloud compute ssh to enter an instance:

ssh streisand.asia-southeast1-a.streisand-vpn-xxxxxx
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-1015-gcp x86_64)

Symlinking your existing keys and using the gcloud ssh wrapper

The alternative to the first option is to use the gcloud compute ssh wrapper which keeps track of existing instances and doesn’t require re-populating the ssh config file when instances are added or deleted.

gcloud ssh by default looks for:

  • $HOME/.ssh/google_compute_engine – the private key
  • $HOME/.ssh/google_compute_engine.pub – the public key

If it doesn’t find these keys it attempts to create new keys. We can circumvent this by linking our personal keys to those locations.

ln -s $HOME/.ssh/id_rsa $HOME/.ssh/google_compute_engine
ln -s $HOME/.ssh/id_rsa $HOME/.ssh/google_compute_engine.pub

Now we can use the usual gcloud compute ssh command. The wrapper command takes the instance name instead of the address as an argument.

$ gcloud compute ssh streisand
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.13.0-1015-gcp x86_64)