Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Compute Cloud
    • All tutorials
      • Connecting to a VM over SSH
      • Exchanging files with VMs
      • Connecting to a VM via RDP
      • Connecting to a VM via PowerShell
        • Creating a VM with OS Login support
        • Configuring OS Login on an existing VM
        • Exporting an SSH certificate
        • Connecting to a VM via OS Login
      • Using Yandex Cloud from within a VM
      • Installing NVIDIA drivers
      • Recovering access to a VM
    • Viewing operations with resources
  • Yandex Container Solution
  • Access management
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  1. Step-by-step guides
  2. Using a VM
  3. OS Login
  4. Exporting an SSH certificate

Exporting an SSH certificate

Written by
Yandex Cloud
Updated at May 13, 2025

You can use an SSH certificate of an organization user or service account to enable a user or (via a service account) a third-party tool, such as Terraform or Ansible, to use SSH to connect to VMs or separate nodes in a Kubernetes node group with OS Login access enabled. To do this, locally export an SSH certificate and use it to access the VM or Kubernetes node with a standard SSH client. The exported certificate is valid for one hour.

To export the SSH certificate of a Cloud Organization organization user or service account to a local computer:

CLI

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for exporting an SSH certificate to a local directory:

    yc compute ssh certificate export --help
    
  2. Get the ID of the organization containing the required OS Login profile of the user or service account:

    yc organization-manager organization list
    

    Result:

    +----------------------+-------------------------+-------------------------+
    |          ID          |          NAME           |          TITLE          |
    +----------------------+-------------------------+-------------------------+
    | bpf1smsil5q0******** | sample-organization1    | Organization 1          |
    | bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
    | bpf6dne49ue8******** | sample-organization3    | Organization 3          |
    +----------------------+-------------------------+-------------------------+
    
  3. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

    yc organization-manager os-login profile list \
      --organization-id <organization_ID>
    

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
    |          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
    | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
    | ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
    | ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
    

    Save the LOGIN field value for the required user or service account: you will need it later.

    Note

    The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.

  4. Export the certificate:

    yc compute ssh certificate export \
        --login <user_or_service_account_login> \
        --organization-id <organization_ID> \
        --directory <path_to_directory>
    

    Where:

    • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If you do not set this parameter, you will export the SSH certificate of the user or service account currently authorized in the Yandex Cloud CLI profile.
    • --organization-id: Previously obtained ID of the organization to export the SSH certificate from. This is an optional parameter. If the parameter is not set, the certificate will be exported from the organization the default folder belongs to.
    • --directory: Path to the local directory to save the exported SSH certificate to. This is an optional parameter. If not specified, the certificate will be saved by default to the .ssh home directory of the current PC user (~/.ssh/).

    Result:

    Identity: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-<username_in_OS_Login_profile>
    Certificate: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-<username_in_OS_Login_profile>-cert.pub
    

    If you save the exported certificate to a directory different from the default one, make sure that only the current user can access the certificate files saved. If you need to, update the user permissions using the chmod command on Linux and macOS or on the Security tab in Windows Explorer's file properties.

You can use the exported SSH certificate to connect to a VM or Kubernetes node with OS Login access enabled.

See alsoSee also

  • Enabling access via OS Login
  • Adding an SSH key
  • Connecting to a VM via OS Login
  • Connecting to a Kubernetes node via OS Login
  • Using a service account with an OS Login profile for VM management via Ansible

Was the article helpful?

Previous
Configuring OS Login on an existing VM
Next
Connecting to a VM via OS Login
Yandex project
© 2025 Yandex.Cloud LLC