This document describes how to configure apps to programmatically connect between two virtual machine (VM) instances using SSH and OS Login. Enabling apps to use SSH can be useful for automating system management processes.
All code samples used in this guide is hosted on the GoogleCloudPlatform/python-docs-samples GitHub page.
Before you begin
- Set up SSH for a service account.
- Set up OS Login on your project, or on a VM that runs as a service account.
-
If you haven't already, then set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
-
Set up an SSH app
Set up your app to manage SSH keys and initiate SSH connections to Compute Engine VMs. At a high level, your app should do the following:
- Import the Google OS Login library to build client libraries, which enables you to authenticate with the OS Login API.
- Initialize the OS Login Client object to enable your app to use OS Login.
- Implement a
create_ssh_key()
method that generates an SSH key for the VM's service account and adds the public key to the service account. - Call the
get_login_profile()
method from the OS Login library to get the POSIX user name that the service account uses. - Implement a
run_ssh()
method to execute a remote SSH command. - Remove the temporary SSH key files.
Sample SSH app
The oslogin_service_account_ssh.py
sample app demonstrates a possible implementation
of an SSH app. In this example, the app uses the run_ssh()
method to
execute a command on a remote instance and return the command output.
Run the SSH app
After you create an app that uses SSH, you can run the app by following a
process similar to the following example, which installs and runs the
oslogin_service_account_ssh.py
sample app. The libraries you install may differ,
depending on the programming language the app uses.
Alternatively, you can write an app that imports oslogin_service_account_ssh.py
and
runs it directly.
Connect to the VM that hosts the SSH app.
On the VM, install
pip
and the Python 3 client library:sudo apt update && sudo apt install python3-pip -y && pip install --upgrade google-cloud-os-login requests
Optional: If you are using the
oslogin_service_account_ssh.py
sample app, download it from GoogleCloudPlatform/python-docs-samples:curl -O https://raw.githubusercontent.com/GoogleCloudPlatform/python-docs-samples/master/compute/oslogin/oslogin_service_account_ssh.py
Run the SSH app. The sample app uses
argparse
to accept variables from the command line. In this example, instruct the app to install and runcowsay
on another VM in your project.python3 service_account_ssh.py \ --cmd 'sudo apt install cowsay -y && cowsay "It works!"' \ --project=PROJECT_ID --instance=VM_NAME --zone=ZONE
Replace the following:
PROJECT_ID
: the project ID of the VM that the app is connecting to.VM_NAME
: the name of the VM that the app is connecting to.ZONE
: the zone of the VM that the app is connecting to.
The output is similar to the following:
⋮ ___________ It works! ----------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || ||
What's next
- Download and view the full code sample. The full sample includes a small example of using all of these methods together. Feel free to download it, change it, and run it to suit your needs.
- Learn more about about
how SSH connections work in Compute Engine,
including SSH key configuration and storage.