Is there a way to enable multi-factor auth for SSH access to App Engine instances? Everything I've found points to "OS Login" for that, but it only seems to apply to Compute instances.
I understand I can enable MFA for the org and the gcloud CLI will force the MFA for the initial authentication, but I'd prefer an MFA check every time an SSH connection was initiated.
TL;DR: No, you can not enable SSH MFA to the App Engine flex environment.
As you may be aware now, you can SSH to an App Engine Flex environment only for debugging as described at Comparing high-level features.
You can enable debug mode for a VM, but as you can read at Debugging an Instance page:
Any changes you make to the VM while in debug mode are temporary; you will lose your changes when you disable debug mode. VMs that are being debugged restart periodically, which can make it difficult to debug long running tasks.
The SSH access to a VM for App Engine is not intended to be done on a regular basis, it’s only meant to be done when you really need to debug your application. Since this is only a temporary solution, you can not enable MFA or make any changes to the VM. That VM is being managed by Google and any change you perform will not stick.
If you need regular SSH access to your application or MFA, consider switching to a non managed solution such as GCE. App Engine it’s a managed solution (PaaS) so you lose control over certain aspects.