sshssh-keysgoogle-cloud-shell

How to SSH login to Google Cloud Shell using an existing private key on a YubiKey security key

I can use gcloud cloud-shell ssh to login to Google Cloud Shell.

This, on first use, creates a ~/.ssh/google_compute_engine (+.pub).

But I already have existing SSH private key/s, and would much prefer to use those, specifically ed25519-sk and id_ecdsa_sk ones backed by a physical YubiKey security key. The gcloud cloud-shell ssh documentation mentions a --ssh-key-file flag, but it does not appear to work, and prints an ignored explicit argument error message that is not particularly helpful:

$ gcloud version
Google Cloud SDK 367.0.0
alpha 2021.12.10
beta 2021.12.10
bq 2.0.72
core 2021.12.10
gsutil 5.5

$ gcloud cloud-shell ssh --ssh-key-file=~/.ssh/id_ecdsa_sk
ERROR: (gcloud.cloud-shell.ssh) argument --ssh-key-file: ignored explicit argument '~/.ssh/id_ecdsa_sk'
Usage: gcloud cloud-shell ssh [optional flags]
  optional flags may be  --authorize-session | --command | --dry-run |
                         --force-key-file-overwrite | --help | --ssh-flag |
                         --ssh-key-file

I thought perhaps it doesn't dig SK SSH keys, but even a simple good ol' self created RSA does not appear to work:

$ ssh-keygen
(...)
Your identification has been saved in /home/vorburger/.ssh/id_rsa
Your public key has been saved in /home/vorburger/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:...

$ gcloud --verbosity=debug cloud-shell ssh --ssh-key-file=~/.ssh/id_rsa --verbosity=debug
ERROR: (gcloud.cloud-shell.ssh) argument --ssh-key-file: ignored explicit argument '~/.ssh/id_rsa'

How does ones use gcloud cloud-shell ssh with existing SSH keys?

Solution

  • This behaviour seems to be a bug in the code of the SDK.

    On the file <gcloud path>/lib/googlecloudsdk/command_lib/cloud_shell/util.py we can see how the --ssh-key-file argument is parsed:

    parser.add_argument(
    '--ssh-key-file',
    help="""\
    The path to the SSH key file. By default, this is
      *~/.ssh/google_compute_engine*.
    """,
    action='store_true')

    That parser comes from the argparse module.

    In the documentation of that module, we can see what store_true of the action parameter means:

    • 'store_true' and 'store_false' - These are special cases of 'store_const' used for storing the values True and False respectively.

    --ssh-key-file should probably be a string, so the way it's programmed, it's going to ignore anything that's not a boolean.

    I'm guessing the best option in this situation is to raise a bug in Google's Issue Tracker, since it's a bug on the SDK. I've done just that, and this is the link to the report: https://issuetracker.google.com/216434260

    Meanwhile, the workaround would be to replace 'store_true' by something that should work, like 'store':

    • 'store' - This just stores the argument’s value. This is the default action.

    To do so in your local installation of the SDK, simply execute this sed command:

    sed -zi 's/store_true/store/2' $(gcloud info --format 'value(installation.sdk_root)')/lib/googlecloudsdk/command_lib/cloud_shell/util.py