users.importSshPublicKey
users.importSshPublicKey
Event
Imports an SSH public key into a user’s GCP OS Login profile, enabling SSH access to Compute Engine instances.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- SSH-based lateral movement provides adversaries with interactive command-line access to other compute instances in the environment.
Log Source
Cloud Audit Logs
Sample Event
Adversarial. Draco — operating from the compromised corp account — imports an attacker-controlled SSH public key into the OS Login profile of the target user luna@fantasticlogs.cloud (the new onboarding contractor per persona doc). Because OS Login keys are tied to a Google account and propagate to every VM where Luna has compute.osLogin (typically a wide blast radius for a new-hire account), Draco gains SSH access to any of those VMs as luna_fantasticlogs_cloud — and audit attribution will show Luna, not Draco. This is T1098.004 + identity-laundering: the mismatch between authenticationInfo.principalEmail (Draco) and resourceName (Luna’s user) is the killer detection field.
{ "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.compute.os-login.ssh-keys.add invocation-id/90000000000000000000010000001010 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws),gzip(gfe)", "requestAttributes": { "time": "2026-04-15T16:18:09.221987654Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "oslogin.googleapis.com", "methodName": "google.cloud.oslogin.v1.OsLoginService.ImportSshPublicKey", "authorizationInfo": [ { "resource": "users/luna@fantasticlogs.cloud", "permission": "compute.oslogin.updateExternalUser", "granted": true, "resourceAttributes": {} } ], "resourceName": "users/luna@fantasticlogs.cloud", "request": { "@type": "type.googleapis.com/google.cloud.oslogin.v1.ImportSshPublicKeyRequest", "parent": "users/luna@fantasticlogs.cloud", "sshPublicKey": { "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRAC0M4LFOY666ATTACKERKEY1010== draco-attacker@evil-host", "expirationTimeUsec": "0" } }, "response": { "@type": "type.googleapis.com/google.cloud.oslogin.v1.LoginProfile", "name": "100000000000001111111100", "posixAccounts": [ { "primary": true, "username": "luna_fantasticlogs_cloud", "uid": "1234567890", "gid": "1234567890", "homeDirectory": "/home/luna_fantasticlogs_cloud", "shell": "/bin/bash", "operatingSystemType": "LINUX", "accountId": "fantasticlogs-prod" } ], "sshPublicKeys": { "60000000000001111111100": { "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRAC0M4LFOY666ATTACKERKEY1010== draco-attacker@evil-host", "expirationTimeUsec": "0", "fingerprint": "60000000000001111111100", "name": "users/luna@fantasticlogs.cloud/sshPublicKeys/60000000000001111111100" } } } }, "insertId": "evt010000001010", "resource": { "type": "audited_resource", "labels": { "project_id": "fantasticlogs-prod", "method": "google.cloud.oslogin.v1.OsLoginService.ImportSshPublicKey", "service": "oslogin.googleapis.com" } }, "timestamp": "2026-04-15T16:18:09.123456789Z", "severity": "INFO", "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2026-04-15T16:18:09.567890123Z"}MITRE ATT&CK Mapping
Tactics: Persistence Lateral Movement
- T1098.004 — SSH Authorized Keys — Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</...
- T1021.004 — SSH — Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.