If you’re working with Google Cloud Platform (GCP) and using OS Login to manage SSH access to your VM instances, you might have come across the following error when trying to connect via gcloud:

ERROR: (gcloud.beta.compute.ssh) INVALID_ARGUMENT: This region is not supported by the OS Login Sign API at this time.

This error can be confusing, especially if OS Login worked just fine for a year and suddenly stops working. In this blog post, I’ll explain what this error means, why it happens, and how you can resolve or work around it.

What is OS Login?

OS Login allows you to manage SSH keys using IAM identities rather than manually placing public keys in ~/.ssh/authorized_keys. It simplifies access management, improves security, and provides centralized control.

Why does this error occur?

This error occurs because some GCP regions or zones currently do not support the OS Login Sign API —specifically, the part of the API that generates signed SSH login tickets for authentication.

You may encounter this error when using a command like:

gcloud beta compute ssh INSTANCE_NAME --zone=REGION-ZONE

If the specified region doesn’t support the OS Login Sign API, gcloud fails to generate a valid login ticket and throws this error.

How can you fix or work around it?

1. Use a supported region

If possible, deploy your VM instance in a region where OS Login Sign API is fully supported. Common supported regions include:

  • us-central1
  • europe-west1
  • asia-east1

You can check the limitations of the os-login here.

2. Disable OS Login for the instance or project

If you must use a region where the API isn’t supported, you can temporarily disable OS Login and revert to traditional SSH access:

Disable OS Login at the instance level: 

gcloud compute instances add-metadata INSTANCE_NAME \
  --metadata enable-oslogin=FALSE \
  --zone=REGION-ZONE

Add an SSH key manually: 

gcloud compute instances add-metadata INSTANCE_NAME \
  --metadata "ssh-keys=USER:$(cat ~/.ssh/id_rsa.pub)" \
  --zone=REGION-ZONE

3. Add key to your os-login profile and use regular SSH

If you are locked to a specific region, and for some reason you cannot or won't disable os-login. Here is my workaround:

Add an SSH key to your os-login profile: 

gcloud compute os-login ssh-keys add --key-file=~/.ssh/id_rsa.pub

Get your SSH username aka service account id: 

gcloud compute os-login describe-profile --format=json | jq -r '.posixAccounts[].username'

Use regular SSH with ssh key to your VM instance: 

ssh -i ~/.ssh/id_rsa.pub YOUR_SA_ACCOUNT_ID@YOUR_VM_IP

4. Wait for support expansion

If OS Login is a key part of your security policy but the region you need doesn’t support it yet, consider monitoring GCP’s roadmap or contacting support to determine if and when the feature will become available there.

Conclusion

While the error This region is not supported by the OS Login Sign API might look like a bug, it’s actually a limitation in specific GCP regions. Honestly, I don't like it when there is no standard behaviour, and a basic feature is not working everywhere.

"The devil is in details."