For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/gcp/oslogin_is_disabled_for_vm_instance.md. A documentation index is available at /llms.txt.

OSLogin is disabled in VM instance

This product is not supported for your selected Datadog site. ().

Metadata

Id: 66dae697-507b-4aef-be18-eec5bd707f33

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Description

OS Login should be enabled on Google Compute VM instances to centralize SSH access control via IAM and avoid unmanaged, long-lived SSH keys on individual instances. For Ansible-managed instances using the google.cloud.gcp_compute_instance or gcp_compute_instance modules, set the metadata.enable-oslogin property to true. Resources missing the enable-oslogin metadata key or with a value that does not evaluate to Ansible true are flagged.

Secure configuration example:

- name: create instance with OS Login enabled
  google.cloud.gcp_compute_instance:
    name: my-instance
    zone: us-central1-a
    metadata:
      enable-oslogin: true

Compliant Code Examples

- name: oslogin-enabled
  google.cloud.gcp_compute_instance:
    metadata:
      enable-oslogin: yes
    zone: us-central1-a
    auth_kind: serviceaccount
- name: oslogin-missing
  google.cloud.gcp_compute_instance:
    metadata:
      startup-script-url: gs:://graphite-playground/bootstrap.sh
      cost-center: '12345'
    zone: us-central1-a
    auth_kind: serviceaccount

Non-Compliant Code Examples

- name: oslogin-disabled
  google.cloud.gcp_compute_instance:
    metadata:
      enable-oslogin: no
    zone: us-central1-a
    auth_kind: serviceaccount