Skip to content

users.importSshPublicKey

GCP

users.importSshPublicKey

service: GCP - OS Login
techniques:

Event

Imports an SSH public key into a user’s GCP OS Login profile, enabling SSH access to Compute Engine instances.

Security Context

  • Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
  • SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.

Log Source

Cloud Audit Logs

Sample Event

Adversarial. Draco — operating from the compromised corp account — imports an attacker-controlled SSH public key into the OS Login profile of the target user luna@fantasticlogs.cloud (the new onboarding contractor per persona doc). Because OS Login keys are tied to a Google account and propagate to every VM where Luna has compute.osLogin (typically a wide blast radius for a new-hire account), Draco gains SSH access to any of those VMs as luna_fantasticlogs_cloud — and audit attribution will show Luna, not Draco. This is T1098.004 + identity-laundering: the mismatch between authenticationInfo.principalEmail (Draco) and resourceName (Luna’s user) is the killer detection field.

{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.os-login.ssh-keys.add invocation-id/90000000000000000000010000001010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)",
"requestAttributes": {
"time": "2026-04-15T16:18:09.221987654Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "oslogin.googleapis.com",
"methodName": "google.cloud.oslogin.v1.OsLoginService.ImportSshPublicKey",
"authorizationInfo": [
{
"resource": "users/luna@fantasticlogs.cloud",
"permission": "compute.oslogin.updateExternalUser",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "users/luna@fantasticlogs.cloud",
"request": {
"@type": "type.googleapis.com/google.cloud.oslogin.v1.ImportSshPublicKeyRequest",
"parent": "users/luna@fantasticlogs.cloud",
"sshPublicKey": {
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRAC0M4LFOY666ATTACKERKEY1010== draco-attacker@evil-host",
"expirationTimeUsec": "0"
}
},
"response": {
"@type": "type.googleapis.com/google.cloud.oslogin.v1.LoginProfile",
"name": "100000000000001111111100",
"posixAccounts": [
{
"primary": true,
"username": "luna_fantasticlogs_cloud",
"uid": "1234567890",
"gid": "1234567890",
"homeDirectory": "/home/luna_fantasticlogs_cloud",
"shell": "/bin/bash",
"operatingSystemType": "LINUX",
"accountId": "fantasticlogs-prod"
}
],
"sshPublicKeys": {
"60000000000001111111100": {
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRAC0M4LFOY666ATTACKERKEY1010== draco-attacker@evil-host",
"expirationTimeUsec": "0",
"fingerprint": "60000000000001111111100",
"name": "users/luna@fantasticlogs.cloud/sshPublicKeys/60000000000001111111100"
}
}
}
},
"insertId": "evt010000001010",
"resource": {
"type": "audited_resource",
"labels": {
"project_id": "fantasticlogs-prod",
"method": "google.cloud.oslogin.v1.OsLoginService.ImportSshPublicKey",
"service": "oslogin.googleapis.com"
}
},
"timestamp": "2026-04-15T16:18:09.123456789Z",
"severity": "INFO",
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2026-04-15T16:18:09.567890123Z"
}

MITRE ATT&CK Mapping

Tactics: Persistence Lateral Movement

Techniques:
  • T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
  • T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.