Contact UsGet started

Create a virtual machine with OS Login

Written by
Updated at November 25, 2024

OS Login is used to provide users and service accounts with SSH access to VMs using IAM. To grant access to a VM that supports OS Login at the OS level, assign the following roles to a user:

To connect to a VM or Kubernetes node with enabled OS Login access via the YC CLI, assign the compute.osLogin or compute.osAdminLogin role as well as the compute.operator role to the user or service account running the YC CLI command.

To connect to a virtual machine or Kubernetes node with OS Login access enabled via a standard SSH client, assign the compute.osLogin or compute.osAdminLogin role to the connecting user or service account.

You can use either the YC CLI or a standard SSH client to connect to VMs with enabled OS Login access. To connect, you can use an SSH certificate or SSH key, which you first need to add to the OS Login profile of user or service account in Yandex Cloud Organization.

The recommended way is to create a local user on the new VM and provide a separate SSH key for that user: thus you will still be able to connect to the VM over SSH if you disable OS Login access for it. You can create a local user and provide an SSH key for them using metadata:

Tip

To create VMs with OS Login access and connect to such VMs, enable OS Login at the Yandex Cloud organization level first.

Note

For users added via metadata:

  • After enabling access to a VM via OS Login, the keys specified in user-data and ssh-keys are deleted from the metadata.
  • After disabling access to a VM via OS Login, the deleted keys are recreated.

To create a VM with OS Login:

  1. Enable access via OS Login at the organization level.

  2. Create a VM from a ready-made image with OS Login access support. These images are available on Yandex Cloud Marketplace.

    When creating your VM, select Access by OS Login under Access. If this option is not available, the selected image does not support OS Login access.

    To be able to connect to the VM over SSH without OS Login, update the VM settings by disabling this option.

  1. Enable access via OS Login at the organization level.

  2. Create a VM from a ready-made image with OS Login access support.

    When creating a VM, add a flag to enable access via OS Login:

    --metadata enable-oslogin=true

  1. Enable access via OS Login at the organization level.

  2. Create a VM using the create REST API method for the Instance resource from a public image with OS Login access support:

    When creating the VM, provide the enable-oslogin=true pair in the metadata field.

After the created VM changes its status to Running, you will be able to connect to it via OS Login.

Previous
Connecting to a VM via PowerShell
Next
Configuring OS Login on an existing VM