---
title: OSLogin is disabled in VM instance
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > OSLogin is disabled in VM instance
---

# OSLogin is disabled in VM instance

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-oslogin-is-disabled-for-vm-instance` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html)

### Description{% #description %}

OS Login should be enabled on Google Compute VM instances to centralize SSH access control via IAM and avoid unmanaged, long-lived SSH keys on individual instances. For Ansible-managed instances using the `google.cloud.gcp_compute_instance` or `gcp_compute_instance` modules, set the `metadata.enable-oslogin` property to `true`. Resources missing the `enable-oslogin` metadata key or with a value that does not evaluate to Ansible true are flagged.

Secure configuration example:

```yaml
- name: create instance with OS Login enabled
  google.cloud.gcp_compute_instance:
    name: my-instance
    zone: us-central1-a
    metadata:
      enable-oslogin: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: oslogin-enabled
  google.cloud.gcp_compute_instance:
    name: oslogin-enabled-instance
    metadata:
      enable-oslogin: yes
    zone: us-central1-a
    auth_kind: serviceaccount
- name: oslogin-missing
  google.cloud.gcp_compute_instance:
    name: oslogin-missing-instance
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    zone: us-central1-a
    auth_kind: serviceaccount
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: oslogin-disabled
  google.cloud.gcp_compute_instance:
    name: oslogin-disabled-instance
    metadata:
      enable-oslogin: no
    zone: us-central1-a
    auth_kind: serviceaccount
```