Skip to content

project-level-oslogin

Explanation

OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked.

Possible Impact

Access via SSH key cannot be revoked automatically when an IAM user is removed.

Suggested Resolution

Enable OS Login at project level

Insecure Example

The following example will fail the google-compute-project-level-oslogin check.

resource "google_compute_project_metadata" "default" {
  metadata = {
    enable-oslogin = false
  }
}

Secure Example

The following example will pass the google-compute-project-level-oslogin check.

resource "google_compute_project_metadata" "default" {
  metadata = {
    enable-oslogin = true
  }
}