Connecting to a VM via OS Login
OS Login provides users and service accounts access to VMs relying solely on the Yandex Identity and Access Management mechanisms, without requiring you to upload SSH keys to each new VM when creating it.
Getting started
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameters.
Create a new virtual machine with OS Login support or configure OS Login access for an existing VM as needed.
Note
For connection to a virtual machine or Kubernetes node with OS Login access enabled, assign the compute.osLogin
or compute.osAdminLogin
role to the user or service account. When connecting using the Yandex Cloud CLI, you additionally need the compute.operator
role.
Connecting using a standard SSH client
You can connect to a VM with OS Login access enabled using a standard SSH client with either an SSH key saved in the OS Login profile of an organization user or service account, or a short-lived SSH certificate exported for that user or service account.
To connect to a VM via OS Login with an SSH key using a standard SSH client:
-
Enable access via OS Login at the organization level.
To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH keys.
To allow users to add SSH keys to their own OS Login profiles, enable Allow members to use their own SSH keys.
-
Create an SSH key pair and add the public key to the OS Login profile of a user or service account. Remember where your private key is stored, as you will need it to connect to a VM.
-
Get the ID of the organization containing the required OS Login profile of the user or service account:
yc organization-manager organization list
Result:
+----------------------+-------------------------+-------------------------+ | ID | NAME | TITLE | +----------------------+-------------------------+-------------------------+ | bpf1smsil5q0******** | sample-organization1 | Organization 1 | | bpf2c65rqcl8******** | sample-organization2 | Organization 2 | | bpf6dne49ue8******** | sample-organization3 | Organization 3 | +----------------------+-------------------------+-------------------------+
-
Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:
yc organization-manager os-login profile list \ --organization-id <organization_ID>
Result:
+----------------------+----------------------+-----------+----------------------+----------------------+------------+ | ID | LOGIN | UID | ORGANIZATION ID | SUBJECT ID | IS DEFAULT | +----------------------+----------------------+-----------+----------------------+----------------------+------------+ | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true | | ajegs81t2k9s******** | user1 | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true | | ajej57b2kf0t******** | user2 | 1011 | bpfaidqca8vd******** | ajei280a73vc******** | true | +----------------------+----------------------+-----------+----------------------+----------------------+------------+
Save the
LOGIN
field value for the required user or service account: you will need it later.Note
The minimum required role allowing you to view the list of OS Login user profiles is the
organization-manager.osLogins.viewer
role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization. -
Get a list of all VMs in the default folder:
yc compute instance list
Result:
+----------------------+-----------------+---------------+---------+---------------+--------------+ | ID | NAME | ZONE ID | STATUS | EXTERNAL IP | INTERNAL IP | +----------------------+-----------------+---------------+---------+---------------+--------------+ | fhm0b28lgf********** | first-instance | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8 | | fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 | +----------------------+-----------------+---------------+---------+---------------+--------------+
Save the public IP address (the
EXTERNAL IP
value) of the VM you want to connect to. -
Connect to the VM:
ssh -i <path_to_private_SSH_key_file> \ -l <user_or_service_account_login> <VM_public_IP_address>
Where:
<path_to_private_SSH_key_file>
: Path to the private SSH key file, e.g.,/home/user1/.ssh/id_ed25519
.<user_or_service_account_login>
: Previously obtained user or service account login, as set in the OS Login profile.<VM_public_IP_address>
: VM public IP address you saved earlier.
If this is your first time connecting to the VM, you will get this unknown host warning:
The authenticity of host '158.160.**.** (158.160.**.**)' can't be established. ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********. Are you sure you want to continue connecting (yes/no)?
In the terminal, type
yes
and press Enter.
To connect to a VM via OS Login with an SSH certificate using a standard SSH client:
-
Enable access via OS Login at the organization level.
To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH certificates (recommended).
-
Export the SSH certificate to your local computer.
-
Get the ID of the organization containing the required OS Login profile of the user or service account:
yc organization-manager organization list
Result:
+----------------------+-------------------------+-------------------------+ | ID | NAME | TITLE | +----------------------+-------------------------+-------------------------+ | bpf1smsil5q0******** | sample-organization1 | Organization 1 | | bpf2c65rqcl8******** | sample-organization2 | Organization 2 | | bpf6dne49ue8******** | sample-organization3 | Organization 3 | +----------------------+-------------------------+-------------------------+
-
Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:
yc organization-manager os-login profile list \ --organization-id <organization_ID>
Result:
+----------------------+----------------------+-----------+----------------------+----------------------+------------+ | ID | LOGIN | UID | ORGANIZATION ID | SUBJECT ID | IS DEFAULT | +----------------------+----------------------+-----------+----------------------+----------------------+------------+ | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true | | ajegs81t2k9s******** | user1 | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true | | ajej57b2kf0t******** | user2 | 1011 | bpfaidqca8vd******** | ajei280a73vc******** | true | +----------------------+----------------------+-----------+----------------------+----------------------+------------+
Save the
LOGIN
field value for the required user or service account: you will need it later.Note
The minimum required role allowing you to view the list of OS Login user profiles is the
organization-manager.osLogins.viewer
role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization. -
Get a list of all VMs in the default folder:
yc compute instance list
Result:
+----------------------+-----------------+---------------+---------+---------------+--------------+ | ID | NAME | ZONE ID | STATUS | EXTERNAL IP | INTERNAL IP | +----------------------+-----------------+---------------+---------+---------------+--------------+ | fhm0b28lgf********** | first-instance | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8 | | fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 | +----------------------+-----------------+---------------+---------+---------------+--------------+
Save the public IP address (the
EXTERNAL IP
value) of the VM you want to connect to. -
Connect to the VM:
ssh -i <certificate_file_path> \ -l <user_or_service_account_login> <VM_public_IP_address>
Where:
<certificate_file_path>
: Path to the certificate’sIdentity
file you exported previously, e.g.,/home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername
.<user_or_service_account_login>
: Previously obtained user or service account login, as set in the OS Login profile.<VM_public_IP_address>
: VM public IP address you saved earlier.
You can also view the command for VM connection in the management console
. On the Overview page of the VM, under Access, expand Connect via the client SSH and select the Via certificate tab.If this is your first time connecting to the VM, you will get this unknown host warning:
The authenticity of host '158.160.**.** (158.160.**.**)' can't be established. ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********. Are you sure you want to continue connecting (yes/no)?
In the terminal, type
yes
and press Enter.
Note
The certificate is valid for one hour. After this time has elapsed, you will need to export a new certificate to connect to the VM.
You will then be connected to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM operating system.
Connecting via the Yandex Cloud CLI
You can connect to a VM with OS Login access enabled using the Yandex Cloud CLI with either an SSH key saved in the profile of an organization user or service account, or an SSH certificate of that user or service account.
To connect to a VM via OS Login with an SSH key using the Yandex Cloud CLI:
-
Enable access via OS Login at the organization level.
To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH keys.
To allow users to add SSH keys to their own OS Login profiles, enable Allow members to use their own SSH keys.
-
Create an SSH key pair and add the public key to the OS Login profile of a user or service account. Remember where your private key is stored, as you will need it to connect to a VM.
-
View the description of the CLI command to connect to a VM:
yc compute ssh --help
-
Get the ID of the organization containing the required OS Login profile of the user or service account:
yc organization-manager organization list
Result:
+----------------------+-------------------------+-------------------------+ | ID | NAME | TITLE | +----------------------+-------------------------+-------------------------+ | bpf1smsil5q0******** | sample-organization1 | Organization 1 | | bpf2c65rqcl8******** | sample-organization2 | Organization 2 | | bpf6dne49ue8******** | sample-organization3 | Organization 3 | +----------------------+-------------------------+-------------------------+
-
Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:
yc organization-manager os-login profile list \ --organization-id <organization_ID>
Result:
+----------------------+----------------------+-----------+----------------------+----------------------+------------+ | ID | LOGIN | UID | ORGANIZATION ID | SUBJECT ID | IS DEFAULT | +----------------------+----------------------+-----------+----------------------+----------------------+------------+ | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true | | ajegs81t2k9s******** | user1 | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true | | ajej57b2kf0t******** | user2 | 1011 | bpfaidqca8vd******** | ajei280a73vc******** | true | +----------------------+----------------------+-----------+----------------------+----------------------+------------+
Save the
LOGIN
field value for the required user or service account: you will need it later.Note
The minimum required role allowing you to view the list of OS Login user profiles is the
organization-manager.osLogins.viewer
role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization. -
Get a list of all VMs in the default folder:
yc compute instance list
Result:
+----------------------+-----------------+---------------+---------+---------------+--------------+ | ID | NAME | ZONE ID | STATUS | EXTERNAL IP | INTERNAL IP | +----------------------+-----------------+---------------+---------+---------------+--------------+ | fhm0b28lgf********** | first-instance | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8 | | fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 | +----------------------+-----------------+---------------+---------+---------------+--------------+
-
Connect to the VM:
yc compute ssh \ --name <VM_name> \ --identity-file <path_to_private_SSH_key_file> \ --login <user_or_service_account_login> \ --internal-address
Where:
--name
: Previously obtained VM name. You can specify the VM ID instead of its name by using the--id
parameter.--identity-file
: Path to a private SSH key file, e.g.,/home/user1/.ssh/id_ed25519
.--login
: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If this parameter is not specified, the connection will use the login specified in the default OS Login profile for the user or service account currently authorized in the Yandex Cloud CLI profile.--internal-address
: To connect using an internal IP address. This is an optional parameter.
To connect to a VM via OS Login with an SSH certificate using the Yandex Cloud CLI:
-
Enable access via OS Login at the organization level.
To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH certificates (recommended).
-
View the description of the CLI command to connect to a VM:
yc compute ssh --help
-
Get the ID of the organization containing the required OS Login profile of the user or service account:
yc organization-manager organization list
Result:
+----------------------+-------------------------+-------------------------+ | ID | NAME | TITLE | +----------------------+-------------------------+-------------------------+ | bpf1smsil5q0******** | sample-organization1 | Organization 1 | | bpf2c65rqcl8******** | sample-organization2 | Organization 2 | | bpf6dne49ue8******** | sample-organization3 | Organization 3 | +----------------------+-------------------------+-------------------------+
-
Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:
yc organization-manager os-login profile list \ --organization-id <organization_ID>
Result:
+----------------------+----------------------+-----------+----------------------+----------------------+------------+ | ID | LOGIN | UID | ORGANIZATION ID | SUBJECT ID | IS DEFAULT | +----------------------+----------------------+-----------+----------------------+----------------------+------------+ | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true | | ajegs81t2k9s******** | user1 | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true | | ajej57b2kf0t******** | user2 | 1011 | bpfaidqca8vd******** | ajei280a73vc******** | true | +----------------------+----------------------+-----------+----------------------+----------------------+------------+
Save the
LOGIN
field value for the required user or service account: you will need it later.Note
The minimum required role allowing you to view the list of OS Login user profiles is the
organization-manager.osLogins.viewer
role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization. -
Get a list of all VMs in the default folder:
yc compute instance list
Result:
+----------------------+-----------------+---------------+---------+---------------+--------------+ | ID | NAME | ZONE ID | STATUS | EXTERNAL IP | INTERNAL IP | +----------------------+-----------------+---------------+---------+---------------+--------------+ | fhm0b28lgf********** | first-instance | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8 | | fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 | +----------------------+-----------------+---------------+---------+---------------+--------------+
-
Connect to the VM:
yc compute ssh \ --name <VM_name> --login <user_or_service_account_login> --internal-address
Where:
--name
: Previously obtained VM name. You can specify the VM ID instead of its name by using the--id
parameter.--login
: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If you do not set this parameter, the connection will use the SSH certificate of the user or service account currently authorized in the Yandex Cloud CLI profile.--internal-address
: To connect using an internal IP address. This is an optional parameter.
You can also view the command for VM connection in the management console
. On the Overview page of the VM, under Access, expand Connect via the Yandex Cloud CLI and select the Via certificate tab.
You will then be connected to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM operating system.