Creating a VM with OS Login
OS Login is used to provide users and service accounts with SSH access to VMs via SSH using IAM. To grant access to a VM that supports OS Login at the OS level, assign the following roles to a user:
To connect to a virtual machine or Kubernetes node with OS Login access enabled via the YC CLI, the user or service account under which you will run the YC CLI command needs the compute.osLogin
or compute.osAdminLogin
role, as well as the compute.operator
role.
To connect to a virtual machine or Kubernetes node with OS Login access enabled via a standard SSH client, the user or service account used for connection needs the compute.osLogin
or compute.osAdminLogin
role.
You can use either the YC CLI or a standard SSH client to connect to VMs with enabled OS Login access. For connection, you can use an SSH certificate or SSH key, which you first need to add to the OS Login profile of a Yandex Cloud Organization user or service account.
However, we recommend creating a local user on the new VM and providing a separate SSH key for that user: this way, you will be able to connect to the VM over SSH even if you disable OS Login access for it. You can create a local user and provide an SSH key for them using metadata:
Note
For users added via metadata:
- After enabling access to a VM via OS Login, the keys specified in
user-data
andssh-keys
are deleted from the metadata. - After disabling access to a VM via OS Login, the deleted keys are recreated.
To create a VM with OS Login:
-
Enable access via OS Login at the organization level.
-
Create a VM from the prepared image supporting access via OS Login. These images are available on Yandex Cloud Marketplace.
When creating the VM, under Access, enable Access via OS Login.
To be able to connect to the VM over SSH without OS Login, update the VM settings by disabling this option.
-
Enable access via OS Login at the organization level.
-
Create a VM from the prepared image supporting access via OS Login.
When creating a VM, add a flag to enable access via OS Login:
--metadata enable-oslogin=true
-
Enable access via OS Login at the organization level.
-
Create a VM using the create REST API method for the Instance resource from a public image with OS Login access support:
When creating the VM, provide the
enable-oslogin=true
pair in themetadata
field.
After the created VM changes its status to Running
, you will be able to connect to it via OS Login.