Ensure Oslogin Is Enabled for a Project

Enabling osLogin ensures that SSH keys used to connect to instances are mapped with IAM users. Revoking access to IAM user will revoke all the SSH keys associated with that particular user. It facilitates centralized and automated ssh key pair management which is useful in handling cases like response to compromised ssh key pairs and/or revocation of external/third-party/Vendor users.

Risk Level: Medium
Cloud Entity: GCP Project
CloudGuard Rule ID: D9.GCP.CRY.03
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


Project should have metadata.items contain [ key='enable-oslogin' and value regexMatch /TRUE/i ]


From Portal

  1. Go to the VM compute metadata page using https://console.cloud.google.com/compute/metadata?
  2. Click Edit.
  3. Add a metadata entry where the key is enable-oslogin and the value is TRUE.
  4. Click Save to apply the changes.

From TF
Set the enable-oslogin to true in metadata node:

resource 'google_compute_project_metadata' 'default' {
	metadata = {
		enable-oslogin = true

From Command Line

gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE


  1. https://cloud.google.com/compute/docs/storing-retrieving-metadata
  2. https://cloud.google.com/sdk/gcloud/reference/compute/project-info/add-metadata

GCP Project

A project organizes all your Google Cloud Platform resources. A project consists of a set of users; a set of APIs; and billing, authentication, and monitoring settings for those APIs. So, for example, all of your Cloud Storage buckets and objects, along with user permissions for accessing them, reside in a project. You can have one project, or you can create multiple projects and use them to organize your Google Cloud Platform resources, including your Cloud Storage data, into logical groups

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP GDPR Readiness
  • GCP ISO 27001:2013
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 4
  • GCP NIST 800-53 Rev 5
  • GCP NIST CSF v1.1
  • GCP PCI-DSS 3.2
  • GCP PCI-DSS 4.0