Add the Compute OS Admin Login or Compute OS Login role to the user account you wish to grant access to for the virtual machine. If service account is being used on the VM, you need iam.serviceAccountUser role as well.

When you initiate an SSH session from the Google Cloud Console, need to add SSH key to instance metadata, additional role roles/compute.instanceAdmin.v1 is required.

In the Custom Metadata section, add the following key/value pairs if two-step verification needed:

• enable-oslogin: TRUE
• enable-oslogin-2fa: TRUE