Changing VM metadata
When updating VM metadata using the Yandex Cloud yc compute instance update CLI command, the update REST API method for the Instance resource, or the InstanceService/Update gRPC API call, the entire existing set of metadata in the user-data folder and in the instance/attributes/* path of the computeMetadata folder is fully overwritten with the newly updated set.
To add, modify, or delete individual keys in the instance/attributes/* path of the computeMetadata folder, use the Yandex Cloud yc compute instance add-metadata and yc compute instance remove-metadata CLI commands, the updateMetadata REST API method for the Instance resource, or the InstanceService/UpdateMetadata gRPC API call. In which case the user-data folder metadata will always be fully overwritten with new values.
To update the VM metadata:
Note
When creating VM users via metadata using the user-data key, all users, including the default one specified under Access, will be overwritten. To avoid this, specify the data of all users in the user-data key, including the user specified under Access.
-
In the management console, select the folder this VM belongs to.
-
From the list of services, select Compute Cloud.
-
In the left-hand panel, select Virtual machines.
-
In the VM row, click and select Edit.
-
Under Metadata, provide the metadata in
Key:Valueformat.For example, to create multiple users in the virtual machine OS, add the
user-datakey and specify the following configuration in it:#cloud-config datasource: Ec2: strict_id: false ssh_pwauth: no users: - name: <username_1> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_1> - name: <username_2> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_2> ... - name: <username_n> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_n> runcmd: [] -
Click Save changes.
Note
When creating VM users via metadata using the user-data key, all users, including the default one specified under --ssh-key, will be overwritten. To avoid this, specify the data of all users in the user-data key, including the user specified under --ssh-key.
In the Yandex Cloud CLI, you can provide metadata in any of the three parameters:
-
--metadata-from-file: As a configuration file in this format:--metadata-from-file key=<file_path>. Use this method to conveniently deliver a value consisting of several lines.For example, to add several users to a VM at the same time, describe the configuration in a YAML file:
#cloud-config datasource: Ec2: strict_id: false ssh_pwauth: no users: - name: <username_1> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_1> - name: <username_2> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_2> ... - name: <username_n> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_n> runcmd: [] -
--metadata: As a comma-separated list ofkey=valuepairs, e.g.,--metadata foo1=bar,foo2=baz.For a multiline value, use
\nas a separator:--metadata user-data="#ps1\nnet user Administrator Passw0rd". -
--ssh-key: SSH key. Only for Linux VMs.Compute Cloud creates the
yc-useruser and adds the specified SSH key to the list of authorized keys. After the VM is created, you can use this key to connect to it over SSH.
You can combine these parameters, for example:
yc compute instance update \
--name my-instance \
--metadata-from-file user-data=metadata.yaml \
--metadata serial-port-enable=1
...
Note
When creating VM users via metadata using the user-data key, all users, including the default one specified under ssh-keys, will be overwritten. To avoid this, specify the data of all users in the user-data key, including the user specified under ssh-keys.
In Terraform, you can specify metadata in three ways:
-
As a separate file with user metadata to process by the
cloud-initagent. To do this, undermetadata, specify the path to the file with user metadata, such ascloud-init.yaml:... metadata = { user-data = "${file("cloud-init.yaml")}" } ...{% cut "Sample contents of the
cloud-init.yaml" file %}#cloud-config datasource: Ec2: strict_id: false ssh_pwauth: no users: - name: <username_1> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_1> - name: <username_2> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_2> ... - name: <username_n> sudo: 'ALL=(ALL) NOPASSWD:ALL' shell: /bin/bash ssh_authorized_keys: - <public_SSH_key_n> runcmd: [] -
Under
metadata, as a line with user metadata. For a multiline value, use\nas a separator. For example:... metadata = { user-data = "#cloud-config\nusers:\n - name: <username>\n groups: sudo\n shell: /bin/bash\n sudo: 'ALL=(ALL) NOPASSWD:ALL'\n ssh_authorized_keys:\n - <SSH_key_contents>" } ... -
Only for Linux VMs. Under
ssh-keys, specify the username and the SSH key to access Linux VMs. Enter your username and the contents of your SSH key as follows:... metadata = { ssh-keys = "<username>:<SSH_key_contents>" } ...If you are using an out-of-the-box public image from Yandex Cloud Marketplace, the specified username does not matter. The key will be assigned to the user specified in the
cloud-initconfiguration by default. Such users vary depending on an image.If you do not know the default user, find the string containing
Authorized keys fromin the serial port output. It will contain the name of the user the authorized keys are assigned to.If you cannot find this string but you see the
no authorized ssh keys fingerprints found for userstring, it means you have provided your SSH key incorrectly. Check the format once again or try providing the SSH keys in theuser-datafield.
In the API, specify the metadata in the metadata property as a JSON object, e.g.:
"metadata": {
"ssh-keys": "ssh-ed25519 AAAAB3Nza... user@example.com",
"serial-port-enable": "1"
}
For a line break, use \n.
Warning
All metadata, including user-defined metadata, is unencrypted. If the metadata contains sensitive information, make sure to protect it, e.g., through encryption.
Removing SSH keys from metadata
- In the management console, select the folder this VM belongs to.
- From the list of services, select Compute Cloud.
- In the left-hand panel, select Virtual machines.
- In the VM row, click and select Edit.
- Expand the Metadata section and remove the keys by clicking .
- Click Save changes.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
See the description of the CLI command for removing metadata:
yc compute instance remove-metadata --help -
Remove the keys:
yc compute instance remove-metadata <VM_ID> --keys <SSH_key_name>
To remove SSH keys from the VM metadata, use the updateMetadata REST API method for the Instance resource or the InstanceService/UpdateMetadata gRPC API call.
In your request, provide the delete parameter with the SSH key.
REST API request example
curl \
--request POST \
--header "Authorization: Bearer <IAM_token>" \
--data '{"delete":["<SSH_key_name>"]}' \
https://compute.api.cloud.yandex.net/compute/v1/instances/<VM_ID>/updateMetadata
Enabling access via OS Login
To make sure users can connect to the VM via OS Login, enable this option in the VM settings:
- In the management console, select the folder this VM belongs to.
- From the list of services, select Compute Cloud.
- In the left-hand panel, select Virtual machines.
- In the VM row, click and select Edit.
- Under Access, select Access by OS Login.
- Click Save changes.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
See the description of the CLI command for updating VM parameters:
yc compute instance update --help -
Get a list of VMs in the default folder:
yc compute instance listResult:
+----------------------+-----------------+---------------+---------+----------------------+ | ID | NAME | ZONE ID | STATUS | DESCRIPTION | +----------------------+-----------------+---------------+---------+----------------------+ | fhm0b28lgfp4******** | first-instance | ru-central1-a | RUNNING | my first vm via CLI | | fhm9gk85nj7g******** | second-instance | ru-central1-a | RUNNING | my second vm via CLI | +----------------------+-----------------+---------------+---------+----------------------+ -
Select
IDorNAMEof the VM, e.g.,first-instance. -
Enable access via OS Login:
yc compute instance update first-instance \ --metadata enable-oslogin=true
Use the metadata field to provide enable-oslogin=true in the update REST API method for the Instance resource or in the InstanceService/Update gRPC API call.
Note
For users added via metadata:
- After enabling access to a VM via OS Login, the keys specified in
user-dataandssh-keysare removed from the metadata. - After disabling access to a VM via OS Login, the removed keys are recreated.