Contact UsGet started

Connecting to a VM via OS Login

Written by
Updated at April 14, 2025

OS Login provides users and service accounts access to VMs relying solely on the Yandex Identity and Access Management mechanisms, without requiring you to upload SSH keys to each new VM when creating it.

Getting started

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameters.

Create a new virtual machine with OS Login support or configure OS Login access for an existing VM as needed.

Note

For connection to a virtual machine or Kubernetes node with OS Login access enabled, assign the compute.osLogin or compute.osAdminLogin role to the user or service account. When connecting using the Yandex Cloud CLI, you additionally need the compute.operator role.

Connecting using a standard SSH client

You can connect to a VM with OS Login access enabled using a standard SSH client with either an SSH key saved in the OS Login profile of an organization user or service account, or a short-lived SSH certificate exported for that user or service account.

To connect to a VM via OS Login with an SSH key using a standard SSH client:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH keys.

    To allow users to add SSH keys to their own OS Login profiles, enable Allow members to use their own SSH keys.

  2. Create an SSH key pair and add the public key to the OS Login profile of a user or service account. Remember where your private key is stored, as you will need it to connect to a VM.

  3. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

    Save the public IP address (the EXTERNAL IP value) of the VM you want to connect to.

  6. Connect to the VM:

    ssh -i <path_to_private_SSH_key_file> \
  -l <user_or_service_account_login> <VM_public_IP_address>

    Where:

    • <path_to_private_SSH_key_file>: Path to the private SSH key file, e.g., /home/user1/.ssh/id_ed25519.
    • <user_or_service_account_login>: Previously obtained user or service account login, as set in the OS Login profile.
    • <VM_public_IP_address>: VM public IP address you saved earlier.

    If this is your first time connecting to the VM, you will get this unknown host warning:

    The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

    In the terminal, type yes and press Enter.

To connect to a VM via OS Login with an SSH certificate using a standard SSH client:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH certificates (recommended).

  2. Export the SSH certificate to your local computer.

  3. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

    Save the public IP address (the EXTERNAL IP value) of the VM you want to connect to.

  6. Connect to the VM:

    ssh -i <certificate_file_path> \
  -l <user_or_service_account_login> <VM_public_IP_address>

    Where:

    • <certificate_file_path>: Path to the certificate’s Identity file you exported previously, e.g., /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername.
    • <user_or_service_account_login>: Previously obtained user or service account login, as set in the OS Login profile.
    • <VM_public_IP_address>: VM public IP address you saved earlier.

    You can also view the command for VM connection in the management console. On the Overview page of the VM, under Access, expand Connect via the client SSH and select the Via certificate tab.

    If this is your first time connecting to the VM, you will get this unknown host warning:

    The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

    In the terminal, type yes and press Enter.

Note

The certificate is valid for one hour. After this time has elapsed, you will need to export a new certificate to connect to the VM.

You will then be connected to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM operating system.

Connecting via the Yandex Cloud CLI

You can connect to a VM with OS Login access enabled using the Yandex Cloud CLI with either an SSH key saved in the profile of an organization user or service account, or an SSH certificate of that user or service account.

To connect to a VM via OS Login with an SSH key using the Yandex Cloud CLI:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH keys.

    To allow users to add SSH keys to their own OS Login profiles, enable Allow members to use their own SSH keys.

  2. Create an SSH key pair and add the public key to the OS Login profile of a user or service account. Remember where your private key is stored, as you will need it to connect to a VM.

  3. View the description of the CLI command to connect to a VM:

    yc compute ssh --help

  4. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  5. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.

  6. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

  7. Connect to the VM:

    yc compute ssh \
  --name <VM_name> \
  --identity-file <path_to_private_SSH_key_file> \
  --login <user_or_service_account_login> \
  --internal-address

    Where:

    • --name: Previously obtained VM name. You can specify the VM ID instead of its name by using the --id parameter.
    • --identity-file: Path to a private SSH key file, e.g., /home/user1/.ssh/id_ed25519.
    • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If this parameter is not specified, the connection will use the login specified in the default OS Login profile for the user or service account currently authorized in the Yandex Cloud CLI profile.
    • --internal-address: To connect using an internal IP address. This is an optional parameter.

To connect to a VM via OS Login with an SSH certificate using the Yandex Cloud CLI:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login with an SSH certificate, enable Access via OS Login using SSH certificates (recommended).

  2. View the description of the CLI command to connect to a VM:

    yc compute ssh --help

  3. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

  6. Connect to the VM:

    yc compute ssh \
  --name <VM_name>
  --login <user_or_service_account_login>
  --internal-address

    Where:

    • --name: Previously obtained VM name. You can specify the VM ID instead of its name by using the --id parameter.
    • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If you do not set this parameter, the connection will use the SSH certificate of the user or service account currently authorized in the Yandex Cloud CLI profile.
    • --internal-address: To connect using an internal IP address. This is an optional parameter.

    You can also view the command for VM connection in the management console. On the Overview page of the VM, under Access, expand Connect via the Yandex Cloud CLI and select the Via certificate tab.

You will then be connected to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM operating system.

See also

Previous
Exporting an SSH certificate
Next
Using Yandex Cloud from within a VM