Contact UsGet started

Connecting to a virtual machine via OS Login

Written by
Updated at December 5, 2024

OS Login is used to provide users and service accounts with SSH access to VMs using IAM.

Getting started

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Create a new virtual machine with OS Login support or set up access via OS Login for an existing VM as needed.

Note

Roles required to connect to a VM via OS Login:

To connect to a VM or Kubernetes node with enabled OS Login access via the YC CLI, assign the compute.osLogin or compute.osAdminLogin role as well as the compute.operator role to the user or service account running the YC CLI command.

To connect to a virtual machine or Kubernetes node with OS Login access enabled via a standard SSH client, assign the compute.osLogin or compute.osAdminLogin role to the connecting user or service account.

Connecting using a standard SSH client

To connect to a VM with enabled OS Login access, you can use a standard SSH client and provide either the SSH key saved in the user or service account organization profile or a short-lived SSH certificate you export for a user or service account.

To connect to a VM via OS Login with an SSH key using a standard SSH client:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH keys.

    To add an SSH key to an organization user profile, enable Allow members to use their own SSH keys.

  2. Create an SSH key pair and add the public key to the OS Login profile of a user or service account. Remember where your private key is stored, as you will need it to connect to a VM.

  3. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    To view the list of OS Login profiles, a user must have the organization-manager.osLogins.viewer role or higher for the organization.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

    Save the public IP address (the EXTERNAL IP value) of the VM you want to connect to.

  6. Connect to the VM:

    ssh -i <path_to_private_SSH_key_file> \
  -l <user_or_service_account_login> <VM_public_IP_address>

    Where:

    • <path_to_private_SSH_key_file>: Path to the file containing the private SSH key, e.g., /home/user1/.ssh/id_ed25519.
    • <user_or_service_account_login>: Previously obtained user or service account login, as set in the OS Login profile.
    • <VM_public_IP_address>: VM public IP address you saved earlier.

    You can also see the command for VM connection in the management console. On the Overview page of the VM, under Connect to VM, expand the Connect via SSH client section and select the SSH key tab.

    If this is your first time connecting to the VM, you will see an unknown host warning:

    The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

    Type yes in the terminal and press Enter.

To connect to a VM via OS Login with an SSH certificate using a standard SSH client:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH certificates (recommended).

  2. Export the SSH certificate to your local computer.

  3. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    To view the list of OS Login profiles, a user must have the organization-manager.osLogins.viewer role or higher for the organization.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

    Save the public IP address (the EXTERNAL IP value) of the VM you want to connect to.

  6. Connect to the VM:

    ssh -i <certificate_file_path> \
  -l <user_or_service_account_login> <VM_public_IP_address>

    Where:

    • <certificate_file_path>: Path to the certificate’s Identity file you exported previously, e.g., /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername.
    • <user_or_service_account_login>: Previously obtained user or service account login, as set in the OS Login profile.
    • <VM_public_IP_address>: VM public IP address you saved earlier.

    You can also see the command for VM connection in the management console. On the Overview page of the VM, under Connect to VM, expand the Connect via SSH client section and select the Certificate tab.

    If this is your first time connecting to the VM, you will see an unknown host warning:

    The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

    Type yes in the terminal and press Enter.

Note

The certificate is valid for one hour. After this time has elapsed, you will need to export a new certificate to connect to the VM.

You will connect to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM's operating system.

Connecting using the YC CLI

To connect to a VM with enabled OS Login access, you can use the YC CLI and provide either the SSH key saved in the user or service account organization profile or an SSH certificate of a user or service account.

To connect to a VM instance via OS Login with an SSH key using the YC CLI:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH keys.

    To add an SSH key to an organization user profile, enable Allow members to use their own SSH keys.

  2. Create an SSH key pair and add the public key to the OS Login profile of a user or service account. Remember where your private key is stored, as you will need it to connect to a VM.

  3. View the description of the CLI command to connect to a VM:

    yc compute ssh --help

  4. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  5. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    To view the list of OS Login profiles, a user must have the organization-manager.osLogins.viewer role or higher for the organization.

  6. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

  7. Connect to the VM:

    yc compute ssh \
  --name <VM_name> \
  --identity-file <path_to_private_SSH_key_file> \
  --login <user_or_service_account_login> \
  --internal-address

    Where:

    • --name: Previously obtained VM name. You can specify the VM ID instead of its name by using the --id parameter.
    • --identity-file: Path to a private SSH key file, e.g., /home/user1/.ssh/id_ed25519.
    • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If this parameter is not specified, the connection will use the login specified in the default OS Login profile for the user or service account currently authorized in the YC CLI profile.
    • (Optional) --internal-address: To connect using an internal IP address.

    You can also see the command for VM connection in the management console. On the Overview page of the VM, under Connect to VM, expand the Connect via the Yandex Cloud CLI interface section and select the SSH key tab.

To connect to a VM via OS Login with an SSH certificate using the YC CLI:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH certificates (recommended).

  2. View the description of the CLI command to connect to a VM:

    yc compute ssh --help

  3. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    To view the list of OS Login profiles, a user must have the organization-manager.osLogins.viewer role or higher for the organization.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

  6. Connect to the VM:

    yc compute ssh \
  --name <VM_name>
  --login <user_or_service_account_login>
  --internal-address

    Where:

    • --name: Previously obtained VM name. You can specify the VM ID instead of its name by using the --id parameter.
    • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If this parameter is not specified, the connection will use the SSH certificate of the user or service account currently authorized in the YC CLI profile.
    • (Optional) --internal-address: To connect using an internal IP address.

    You can also see the command for VM connection in the management console. On the Overview page of the VM, under Connect to VM, expand the Connect via the Yandex Cloud CLI interface section and select the Certificate tab.

You will connect to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM's operating system.

See also

Previous
Exporting an SSH certificate
Next
Working with Yandex Cloud from inside a VM