Cloud OS Login API

Name: Cloud OS Login API API
Brand: Cloud OS Login API
Availability: InStock

✓ Official Vendor SpecIdentity AuthDirectory Servicesoauth26 EndpointsREST

For Agents

Manage SSH key bindings and POSIX login profiles for Google Cloud users so VM access flows through IAM rather than per-host key files.

Quickstart

Get started with Cloud OS Login API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"import a google cloud os login ssh key"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Cloud OS Login API API.

Read a user's OS Login profile including POSIX username, UID, and home directory

Import a new SSH public key for an authenticated Google identity

Delete an SSH public key when an employee leaves or rotates credentials

Update an existing SSH public key's expiry or fingerprint metadata

GET STARTED

Start building with Cloud OS Login API API

Explore with Jentic

View OpenAPI Document

Use for: Get the OS Login profile for the authenticated Google user, Import a new SSH public key for a user who is onboarding, Delete an SSH key that has been compromised, Update the expiry of an SSH public key

Not supported: Does not authenticate SSH sessions, manage VM metadata, or create user accounts — use for SSH key bindings and POSIX login profile reads only.

The Cloud OS Login API manages SSH access to Google Compute Engine VMs through IAM identities rather than per-VM key files. It exposes the user's login profile (POSIX username, UID/GID, secondary aliases) and lets administrators import, delete, and update SSH public keys associated with that identity. Use it to centralise SSH access management, remove a former employee's keys across all VMs at once, or build automation that issues short-lived SSH keys to engineers. The spec exposes 6 endpoints.

Use Cases

Patterns agents use Cloud OS Login API API for, with concrete tasks.

★ Centralised SSH key lifecycle

Replace per-VM SSH key files with IAM-driven access by importing each engineer's public key once via OS Login. The API binds the key to a Google identity, and every VM with OS Login enabled accepts it automatically. Removing a key removes access fleet-wide — a single source of truth for SSH access management.

Import a new SSH public key for user alice@example.com via POST /v1/{+parent}:importSshPublicKey and confirm by listing the keys on her login profile.

Rapid revocation on offboarding

When an engineer leaves, delete their SSH public keys via OS Login to revoke access from every VM that uses OS Login at once. The alternative — pruning authorized_keys files VM by VM — is slow and error-prone. This use case turns access revocation into a single API call instead of an audit project.

List all SSH public keys for user bob@example.com via GET /v1/{+name}/loginProfile and DELETE /v1/{+name} for each fingerprint to revoke fleet access.

Short-lived SSH keys for engineers

Issue short-lived SSH public keys that expire after a defined interval, and let the OS Login API enforce the expiry across the fleet. The expirationTimeUsec field on imported keys means an automation can mint a key valid for a few hours, ship it to the engineer's local agent, and never need to remember to revoke it.

Import an SSH public key for user alice@example.com with expirationTimeUsec set to 4 hours from now via POST /v1/{+parent}:importSshPublicKey.

Agent-driven SSH access management via Jentic

An access agent reacting to a JIT request — for example, an engineer asking for VM access via Slack — can use Jentic to import a key with the correct expiry and reply with the VM hostname. Credentials stay in the Jentic vault, so the agent runs under scoped admin tokens with audit trail.

Use Jentic to find the import-ssh-key operation, load its schema, and import a public key for the requesting user with a 60-minute expiry.

Key Endpoints

6 endpoints — the cloud os login api manages ssh access to google compute engine vms through iam identities rather than per-vm key files.

METHOD

PATH

DESCRIPTION

GET

/v1/{+name}/loginProfile

Get the user's OS Login profile

POST

/v1/{+parent}:importSshPublicKey

Import an SSH public key

POST

/v1/{+parent}/sshPublicKeys

Create an SSH public key entry

PATCH

/v1/{+name}

Update an SSH public key's metadata

DELETE

/v1/{+name}

Delete an SSH public key

GET

/v1/{+name}/loginProfile

Get the user's OS Login profile

POST

/v1/{+parent}:importSshPublicKey

Import an SSH public key

POST

/v1/{+parent}/sshPublicKeys

Create an SSH public key entry

PATCH

/v1/{+name}

Update an SSH public key's metadata

DELETE

/v1/{+name}

Delete an SSH public key

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google OAuth 2.0 tokens are minted from a service account stored in the Jentic vault (MAXsystem). Agents act under scoped, short-lived tokens — the service-account key never enters their context.

Intent-based discovery

Agents search Jentic with intents like import ssh key or revoke ssh access and Jentic returns the matching OS Login operation, its scopes, and its input schema.

Time to first call

Direct integration: a few hours to wire OAuth and key management. Through Jentic: under 15 minutes — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Identity and Access Management API

IAM grants the roles that allow a user to log into a VM via OS Login

Use IAM when the agent needs to grant compute.osLogin or compute.osAdminLogin; use OS Login to manage the SSH keys that ride those grants.

Complementary

Compute Engine API

Compute Engine owns the VM instances that OS Login keys grant access to

Use Compute Engine when the agent needs to enable OS Login on a VM via metadata; use OS Login to manage the SSH keys on the user side.

Alternative

Cloud Identity API

Cloud Identity manages user accounts; OS Login binds those identities to POSIX SSH access

Use Cloud Identity when the agent needs to create or disable a user; use OS Login when the user already exists and the goal is SSH access.

FAQs

Specific to using Cloud OS Login API API through Jentic.

What authentication does the Cloud OS Login API use?

The API uses Google OAuth 2.0 with the cloud-platform or compute scope, plus the relevant OS Login admin or self-management role. Through Jentic, tokens come from a service account in the Jentic vault.

Can I delete an SSH key for a user who has left?

Yes. List the user's keys via GET /v1/{+name}/loginProfile, then DELETE /v1/{+name} for each public key fingerprint. The change propagates to every VM that uses OS Login.

What are the rate limits for the OS Login API?

Google Cloud meters profile reads and key writes under per-project quotas. Bulk imports should batch and back off; treat key propagation to VMs as eventually consistent in the order of seconds.

How do I import an SSH key through Jentic?

Search Jentic for import ssh public key, load the schema for POST /v1/{+parent}:importSshPublicKey, and execute it with the public key and an optional expirationTimeUsec. Jentic returns the resulting profile so the agent can confirm the binding.

Does this API authenticate the SSH session itself?

No — actual SSH authentication happens on each VM by the OS Login PAM module, which validates the inbound key against this API's bindings. This API only stores the bindings and profile data.

How do I find a user's POSIX username?

Call GET /v1/{+name}/loginProfile with the user resource name and read the posixAccounts field; each entry includes the username and UID assigned for OS Login.