diff --git a/pipelines/kind-node-builder/pipeline.yml b/pipelines/kind-node-builder/pipeline.yml
index 48a9778bc..ba277e646 100644
--- a/pipelines/kind-node-builder/pipeline.yml
+++ b/pipelines/kind-node-builder/pipeline.yml
@@ -86,6 +86,10 @@ jobs:
         file: pinniped-ci/pipelines/shared-tasks/create-kind-node-builder-vm/task.yml
         image: gcloud-image
         params:
+          SHARED_VPC_PROJECT: ((shared-vpc-project))
+          SUBNET_REGION: ((subnet-region))
+          SUBNET_NAME: ((instances-subnet-name))
+          DISK_IMAGES_PROJECT: ((disk-images-gcp-project-name))
           <<: *gcp_account_params
       - task: build-kind-node-image
         timeout: 90m
diff --git a/pipelines/shared-tasks/build-kind-node-image/task.sh b/pipelines/shared-tasks/build-kind-node-image/task.sh
index 58e5b90a4..e83a8b17f 100755
--- a/pipelines/shared-tasks/build-kind-node-image/task.sh
+++ b/pipelines/shared-tasks/build-kind-node-image/task.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -17,27 +17,49 @@ gcloud auth activate-service-account \
 
 # Create a temporary username because we can't ssh as root. Note that this username must be 32 character or less.
 ssh_user="kind-node-builder-$(openssl rand -hex 4)"
-ssh_dest="${ssh_user}@${instance_name}"
-echo "ssh user@dest will be ${ssh_dest}"
+echo "ssh user will be ${ssh_user}"
 
-# gcloud scp/ssh commands will interactively prompt to create an ssh key unless one already exists, so create one.
+# Make a private key for ssh.
 mkdir -p "$HOME/.ssh"
 ssh_key_file="$HOME/.ssh/kind-node-builder-key"
 ssh-keygen -t rsa -b 4096 -q -N "" -f "$ssh_key_file"
 
+# When run in CI, the service account should not have permission to create project-wide keys, so explicitly add the
+# key only to the specific VM instance (as VM metadata). We don't want to pollute the project-wide keys with these.
+# See https://cloud.google.com/compute/docs/connect/add-ssh-keys#after-vm-creation for explanation of these commands.
+# Note that this overwrites all ssh keys in the metadata. At the moment, these VMs have no ssh keys in the metadata
+# upon creation, so it should always be okay to overwrite the empty value. However, if someday they need to have some
+# initial ssh keys in the metadata for some reason, and if those keys need to be preserved for some reason, then
+# these commands could be enhanced to instead read the keys, add to them, and write back the new list.
+future_time="$(date --utc --date '+3 hours' '+%FT%T%z')"
+echo \
+  "${ssh_user}:$(cat "${ssh_key_file}.pub") google-ssh {\"userName\":\"${ssh_user}\",\"expireOn\":\"${future_time}\"}" \
+  > /tmp/ssh-key-values
+gcloud compute instances add-metadata "$instance_name" \
+  --metadata-from-file ssh-keys=/tmp/ssh-key-values \
+  --zone "$INSTANCE_ZONE" --project "$GCP_PROJECT"
+
+# Get the IP so we can use regular ssh (not gcloud ssh), now that it has been set up.
+gcloud_instance_ip=$(gcloud compute instances describe \
+  --zone "$INSTANCE_ZONE" --project "$GCP_PROJECT" "${instance_name}" \
+  --format='get(networkInterfaces[0].networkIP)')
+
+ssh_dest="${ssh_user}@${gcloud_instance_ip}"
+
 # Copy the build script to the VM.
 echo "Copying $local_build_script to $instance_name as $remote_build_script..."
-gcloud compute scp --zone "$INSTANCE_ZONE" --project "$GCP_PROJECT" \
-  --ssh-key-file "$ssh_key_file" --ssh-key-expire-after 1h --strict-host-key-checking no \
+scp -i "$ssh_key_file" \
+  -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
   "$local_build_script" "$ssh_dest":"$remote_build_script"
 
 # Run the script that was copied to the server above.
 # Note that this assumes that there is no single quote character inside the values of PUSH_TO_IMAGE_REPO,
 # DOCKER_USERNAME, and DOCKER_PASSWORD, which would cause quoting problems in the command below.
 echo "Running $remote_build_script on $instance_name..."
-gcloud compute ssh --zone "$INSTANCE_ZONE" --project "$GCP_PROJECT" "$ssh_dest" \
-  --ssh-key-file "$ssh_key_file" --ssh-key-expire-after 1h --strict-host-key-checking no \
-  --command "chmod 755 $remote_build_script && export PUSH_TO_IMAGE_REGISTRY='${PUSH_TO_IMAGE_REGISTRY}' && export PUSH_TO_IMAGE_REPO='${PUSH_TO_IMAGE_REPO}' && export DOCKER_USERNAME='${DOCKER_USERNAME}' && export DOCKER_PASSWORD='${DOCKER_PASSWORD}' && $remote_build_script"
+ssh -i "$ssh_key_file" \
+  -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+  "$ssh_dest" \
+  "chmod 755 $remote_build_script && export PUSH_TO_IMAGE_REGISTRY='${PUSH_TO_IMAGE_REGISTRY}' && export PUSH_TO_IMAGE_REPO='${PUSH_TO_IMAGE_REPO}' && export DOCKER_USERNAME='${DOCKER_USERNAME}' && export DOCKER_PASSWORD='${DOCKER_PASSWORD}' && $remote_build_script"
 
 echo
 echo "Done!"
diff --git a/pipelines/shared-tasks/create-kind-node-builder-vm/task.sh b/pipelines/shared-tasks/create-kind-node-builder-vm/task.sh
index 979ba17b0..2257e5a25 100755
--- a/pipelines/shared-tasks/create-kind-node-builder-vm/task.sh
+++ b/pipelines/shared-tasks/create-kind-node-builder-vm/task.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 set -euo pipefail
@@ -20,10 +20,10 @@ echo "Creating $INSTANCE_NAME in $INSTANCE_ZONE..."
 gcloud compute instances create "${INSTANCE_NAME}" \
   --zone "${INSTANCE_ZONE}" \
   --machine-type=e2-standard-2 \
-  --image=debian-11-bullseye-v20210916 --image-project=debian-cloud \
-  --boot-disk-size=30GB --boot-disk-type=pd-ssd \
   --labels "kind-node-builder=" \
   --no-service-account --no-scopes \
+  --network-interface=stack-type=IPV4_ONLY,subnet=projects/"$SHARED_VPC_PROJECT"/regions/"${SUBNET_REGION}"/subnetworks/"${SUBNET_NAME}",no-address \
+  --create-disk=auto-delete=yes,boot=yes,device-name="${INSTANCE_NAME}",image=projects/"${DISK_IMAGES_PROJECT}"/global/images/labs-saas-gcp-debian11-packer-latest,mode=rw,size=30,type=pd-ssd \
   --tags=kind-node-image-builder
 
 echo "$INSTANCE_NAME" > name
diff --git a/pipelines/shared-tasks/create-kind-node-builder-vm/task.yml b/pipelines/shared-tasks/create-kind-node-builder-vm/task.yml
index bf708bff9..0e074193b 100644
--- a/pipelines/shared-tasks/create-kind-node-builder-vm/task.yml
+++ b/pipelines/shared-tasks/create-kind-node-builder-vm/task.yml
@@ -1,4 +1,4 @@
-# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -12,5 +12,9 @@ params:
   GCP_PROJECT:
   GCP_USERNAME:
   GCP_JSON_KEY:
+  SHARED_VPC_PROJECT:
+  SUBNET_REGION:
+  SUBNET_NAME:
+  DISK_IMAGES_PROJECT:
 run:
   path: pinniped-ci/pipelines/shared-tasks/create-kind-node-builder-vm/task.sh