compute.projects.setCommonInstanceMetadata
compute.projects.setCommonInstanceMetadata
Event
Sets project-wide Compute Engine metadata, applied to all instances and commonly used to manage SSH keys.
Security Context
- Injecting SSH keys provides direct interactive access to compute instances, bypassing IAM authentication and most monitoring tools.
- Execution capabilities in cloud services can be abused to run malicious code, establish C2 channels, or perform reconnaissance.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco — having accumulated compute.projects.setCommonInstanceMetadata via a permissive custom role earlier in the kill chain — appends an attacker-controlled SSH public key to the project-wide ssh-keys metadata. Because project-wide metadata is inherited by every VM in the project (unless block-project-ssh-keys=true is set per-instance), this single call gives Draco SSH access as the user draco-malfoy on every VM in fantasticlogs-prod that runs Linux and isn’t using OS Login. Project-wide metadata is the highest-blast-radius variant of the SSH-key persistence technique. Note: Google redacts the request body for this method to avoid logging SSH key material — defenders pivot on metadata.commonInstanceMetadataDelta.addedMetadataKeys. Compute LROs emit a paired last entry on completion; this is the first entry.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.project-info.add-metadata invocation-id/90000000000000000000001111101110 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T15:14:51.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "compute.googleapis.com", "methodName": "v1.compute.projects.setCommonInstanceMetadata", "authorizationInfo": [ { "permission": "compute.projects.setCommonInstanceMetadata", "granted": true, "resourceAttributes": { "service": "compute", "name": "projects/fantasticlogs-prod", "type": "compute.projects" } } ], "resourceName": "projects/fantasticlogs-prod", "request": { "@type": "type.googleapis.com/compute.projects.setCommonInstanceMetadata" }, "response": { "@type": "type.googleapis.com/operation", "id": "8200000000000001111101110", "name": "operation-1776269691000-62fa30c92e201-ab001110-cd001110", "operationType": "setMetadata", "targetId": "555123456789", "targetLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod", "selfLink": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/operations/operation-1776269691000-62fa30c92e201-ab001110-cd001110", "selfLinkWithId": "https://www.googleapis.com/compute/v1/projects/fantasticlogs-prod/global/operations/8200000000000001111101110", "user": "draco@fantasticlogs.cloud", "status": "RUNNING", "progress": "0", "insertTime": "2026-04-15T08:14:51.301-07:00", "startTime": "2026-04-15T08:14:51.318-07:00" }, "metadata": { "@type": "type.googleapis.com/google.cloud.audit.GceProjectAuditMetadata", "commonInstanceMetadataDelta": { "addedMetadataKeys": [ "ssh-keys" ] } }, "resourceLocation": { "currentLocations": [ "global" ] } }, "insertId": "evt001111101110", "resource": { "type": "gce_project", "labels": { "project_id": "fantasticlogs-prod" } }, "timestamp": "2026-04-15T15:14:51.123456789Z", "severity": "NOTICE", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "operation": { "id": "operation-1776269691000-62fa30c92e201-ab001110-cd001110", "producer": "compute.googleapis.com", "first": true }, "receiveTimestamp": "2026-04-15T15:14:51.567890123Z"}MITRE ATT&CK Mapping
Tactics: Persistence Execution Lateral Movement
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
- T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.