Contact UsGet started

Exporting an SSH certificate

Written by
Updated at April 14, 2025

You can use an SSH certificate of an organization user or service account to enable a user or (via a service account) a third-party tool, such as Terraform or Ansible, to use SSH to connect to VMs or separate nodes in a Kubernetes node group with OS Login access enabled. To do this, locally export an SSH certificate and use it to access the VM or Kubernetes node with a standard SSH client. The exported certificate is valid for one hour.

To export the SSH certificate of a Cloud Organization organization user or service account to a local computer:

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameters.

  1. See the description of the CLI command for exporting an SSH certificate to a local directory:

    yc compute ssh certificate export --help

  2. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  3. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.

  4. Export the certificate:

    yc compute ssh certificate export \
    --login <user_or_service_account_login> \
    --organization-id <organization_ID> \
    --directory <path_to_directory>

    Where:

    • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If you do not set this parameter, you will export the SSH certificate of the user or service account currently authorized in the Yandex Cloud CLI profile.
    • --organization-id: Previously obtained ID of the organization to export the SSH certificate from. This is an optional parameter. If the parameter is not set, the certificate will be exported from the organization the default folder belongs to.
    • --directory: Path to the local directory to save the exported SSH certificate to. This is an optional parameter. If not specified, the certificate will be saved by default to the .ssh home directory of the current PC user (~/.ssh/).

    Result:

    Identity: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-<username_in_OS_Login_profile>
Certificate: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-<username_in_OS_Login_profile>-cert.pub

    If you save the exported certificate to a directory different from the default one, make sure that only the current user can access the certificate files saved. If you need to, update the user permissions using the chmod command on Linux and macOS or on the Security tab in Windows Explorer's file properties.

You can use the exported SSH certificate to connect to a VM or Kubernetes node with OS Login access enabled.

See also

Previous
Configuring OS Login on an existing VM
Next
Connecting to a VM via OS Login