☁️

Google Cloud

5 notes  •  Cloud Computing
HomeCloud Computing › Google Cloud

SSH Access to Google Cloud VM Instances

Google Cloud VM instances can be accessed via the browser-based SSH console in the GCP Console, or via a standard SSH client after configuring the instance.

Method 1 – Browser-based SSH (quickest)

  1. In the GCP Console, go to Compute Engine → VM Instances.
  2. Click the SSH button next to your instance.

Method 2 – Enable root and password SSH (for SSH clients)

  1. Connect via the browser SSH console first.
  2. Set a root password:
    sudo passwd root
  3. Edit the SSH config:
    sudo nano /etc/ssh/sshd_config
  4. Set:
    PermitRootLogin yes
PasswordAuthentication yes
  5. Restart SSH:
    sudo systemctl restart sshd
  6. Open port 22 in the GCP firewall rule for your VM's network.

Security note: Enabling root SSH with password auth is not recommended for production. Prefer key-based auth or use IAP tunnelling (see below).

Method 3 – gcloud SSH (recommended for admin access)

# SSH via gcloud (handles key management automatically)
gcloud compute ssh INSTANCE_NAME --zone=ZONE

# With IAP tunnel (no public IP required)
gcloud compute ssh INSTANCE_NAME --zone=ZONE --tunnel-through-iap

Install a GUI on a Google Compute Engine Ubuntu Instance

GCE VM instances are headless by default. This guide installs a minimal desktop environment and a VNC server so you can access a graphical desktop remotely.

Step 1 – Update and install a desktop environment

sudo apt-get update
sudo apt-get install -y ubuntu-desktop gnome-panel gnome-settings-daemon   metacity nautilus gnome-terminal

Step 2 – Install and configure TightVNC

sudo apt-get install -y tightvncserver
vncserver  # First run — set a VNC password

Step 3 – Configure the VNC startup script

vncserver -kill :1
nano ~/.vnc/xstartup

Replace the contents with:

#!/bin/sh
export XKL_XMODMAP_DISABLE=1
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
gnome-panel &
gnome-settings-daemon &
metacity &
nautilus &
chmod +x ~/.vnc/xstartup
vncserver -geometry 1280x800 :1

Step 4 – Create an SSH tunnel to the VNC port

gcloud compute ssh INSTANCE_NAME --zone=ZONE -- -L 5901:localhost:5901

Then connect your local VNC client to localhost:5901.

Alternative: Install Firefox only (lighter approach)

sudo apt-get install -y firefox xvfb
Xvfb :99 -screen 0 1280x800x24 &
export DISPLAY=:99
firefox &

gcloud CLI Quick Reference

Commonly used gcloud commands for managing Google Cloud resources.

Authentication & configuration

# Authenticate
gcloud auth login

# Set active project
gcloud config set project PROJECT_ID

# List all configurations
gcloud config list

# Switch between projects quickly
gcloud config set project ezfood-336721

Compute Engine (VMs)

# List all VM instances
gcloud compute instances list

# SSH into an instance
gcloud compute ssh INSTANCE_NAME --zone=ZONE

# Start / stop an instance
gcloud compute instances start INSTANCE_NAME --zone=ZONE
gcloud compute instances stop INSTANCE_NAME --zone=ZONE

# Copy files to/from a VM
gcloud compute scp local-file.txt INSTANCE_NAME:~/remote/ --zone=ZONE

Cloud Storage (GCS)

# List buckets
gsutil ls

# Copy local file to bucket
gsutil cp file.txt gs://my-bucket/

# Sync a directory to a bucket
gsutil -m rsync -r ./local-dir gs://my-bucket/dir/

Firewall rules

# List firewall rules
gcloud compute firewall-rules list

# Allow HTTP and HTTPS
gcloud compute firewall-rules create allow-http-https   --allow tcp:80,tcp:443 --target-tags http-server

Upload Files from GCE VMs to Google Cloud Storage

By default, GCE VM instances do not have write access to GCS buckets — you need to configure the correct IAM permissions and service account scopes.

Step 1 – Grant the VM's service account Storage permissions

  1. Go to GCP Console → IAM & Admin → IAM.
  2. Find the service account associated with your VM (shown under the instance details).
  3. Click Edit and add the role: Storage Object Admin (or more restrictive as needed).

Alternative: Set access scopes when creating the VM — under Identity and API access, select Allow full access to all Cloud APIs or explicitly enable Cloud Storage read/write.

Step 2 – Upload from the VM using gsutil

# Install gsutil (part of Google Cloud SDK)
sudo apt-get install -y google-cloud-sdk

# Upload a single file
gsutil cp /path/to/local-file.txt gs://my-bucket/

# Upload an entire directory
gsutil -m cp -r /path/to/dir gs://my-bucket/dir/

# Sync (only upload changed files)
gsutil -m rsync -r /path/to/dir gs://my-bucket/dir/

Step 3 – Verify

gsutil ls gs://my-bucket/

Troubleshooting permission errors

  • AccessDeniedException: 403 — the VM's service account lacks the Storage Object Creator/Admin role. Re-check Step 1.
  • If you changed access scopes, you must stop and restart the VM for the change to take effect.

Enable Password Authentication for New Users on GCE

GCE instances default to SSH key authentication only. Follow these steps to create a new user with password-based SSH access.

Step 1 – Create a new user

sudo adduser newusername
# Enter and confirm a strong password when prompted

Step 2 – Grant sudo privileges (optional)

sudo usermod -aG sudo newusername

Step 3 – Enable password authentication in SSH

Edit /etc/ssh/sshd_config and change (or add) these lines:

KbdInteractiveAuthentication yes
PasswordAuthentication yes

Step 4 – Restart SSH

sudo systemctl restart ssh

Step 5 – Open port 22 in GCP Firewall (if not already open)

gcloud compute firewall-rules create allow-ssh   --allow tcp:22 --source-ranges=YOUR_IP/32

Security note

Password authentication exposes the server to brute-force attacks. Prefer SSH key auth or use IAP TCP tunnelling (gcloud compute ssh --tunnel-through-iap) which requires no open firewall ports at all.