Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Compute Cloud
    • All guides
      • Configuring metadata service parameters
      • Getting VM instance metadata
      • Getting a VM instance identity document
      • Changing VM instance metadata
      • Creating a VM with a custom configuration script
      • Creating a VM with metadata from environment variables
      • Creating a VM instance with access to a Yandex Lockbox secret
    • Viewing operations with resources
  • Yandex Container Solution
  • Access management
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Removing SSH keys from metadata
  • Enabling access via OS Login
  1. Step-by-step guides
  2. Working with VM instance metadata
  3. Changing VM instance metadata

Changing VM metadata

Written by
Yandex Cloud
Updated at May 5, 2025
  • Removing SSH keys from metadata
  • Enabling access via OS Login

When updating VM metadata using the Yandex Cloud yc compute instance update CLI command, the update REST API method for the Instance resource, or the InstanceService/Update gRPC API call, the entire existing set of metadata in the user-data folder and in the instance/attributes/* path of the computeMetadata folder is fully overwritten with the newly updated set.

To add, modify, or delete individual keys in the instance/attributes/* path of the computeMetadata folder, use the Yandex Cloud yc compute instance add-metadata and yc compute instance remove-metadata CLI commands, the updateMetadata REST API method for the Instance resource, or the InstanceService/UpdateMetadata gRPC API call. In which case the user-data folder metadata will always be fully overwritten with new values.

To update the VM metadata:

Management console
CLI
Terraform
API

Note

When creating VM users via metadata using the user-data key, all users, including the default one specified under Access, will be overwritten. To avoid this, specify the data of all users in the user-data key, including the user specified under Access.

  1. In the management console, select the folder this VM belongs to.

  2. From the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. In the VM row, click and select Edit.

  5. Under Metadata, provide the metadata in Key:Value format.

    For example, to create multiple users in the virtual machine OS, add the user-data key and specify the following configuration in it:

    #cloud-config
    datasource:
      Ec2:
        strict_id: false
    ssh_pwauth: no
    users:
    - name: <username_1>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_1>
    - name: <username_2>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_2>
    ...
    - name: <username_n>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_n>
    runcmd: []
    
  6. Click Save changes.

Note

When creating VM users via metadata using the user-data key, all users, including the default one specified under --ssh-key, will be overwritten. To avoid this, specify the data of all users in the user-data key, including the user specified under --ssh-key.

In the Yandex Cloud CLI, you can provide metadata in any of the three parameters:

  • --metadata-from-file: As a configuration file in this format: --metadata-from-file key=<file_path>. Use this method to conveniently deliver a value consisting of several lines.

    For example, to add several users to a VM at the same time, describe the configuration in a YAML file:

    #cloud-config
    datasource:
      Ec2:
        strict_id: false
    ssh_pwauth: no
    users:
    - name: <username_1>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_1>
    - name: <username_2>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_2>
    ...
    - name: <username_n>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_n>
    runcmd: []
    
  • --metadata: As a comma-separated list of key=value pairs, e.g., --metadata foo1=bar,foo2=baz.

    For a multiline value, use \n as a separator: --metadata user-data="#ps1\nnet user Administrator Passw0rd".

  • --ssh-key: SSH key. Only for Linux VMs.

    Compute Cloud creates the yc-user user and adds the specified SSH key to the list of authorized keys. After the VM is created, you can use this key to connect to it over SSH.

You can combine these parameters, for example:

yc compute instance update \
  --name my-instance \
  --metadata-from-file user-data=metadata.yaml \
  --metadata serial-port-enable=1
...

Note

When creating VM users via metadata using the user-data key, all users, including the default one specified under ssh-keys, will be overwritten. To avoid this, specify the data of all users in the user-data key, including the user specified under ssh-keys.

In Terraform, you can specify metadata in three ways:

  • As a separate file with user metadata to process by the cloud-init agent. To do this, under metadata, specify the path to the file with user metadata, such as cloud-init.yaml:

    ...
    metadata = {
      user-data = "${file("cloud-init.yaml")}"
    }
    ...
    

    {% cut "Sample contents of the cloud-init.yaml" file %}

    #cloud-config
    datasource:
      Ec2:
        strict_id: false
    ssh_pwauth: no
    users:
    - name: <username_1>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_1>
    - name: <username_2>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_2>
    ...
    - name: <username_n>
      sudo: 'ALL=(ALL) NOPASSWD:ALL'
      shell: /bin/bash
      ssh_authorized_keys:
      - <public_SSH_key_n>
    runcmd: []
    

  • Under metadata, as a line with user metadata. For a multiline value, use \n as a separator. For example:

    ...
    metadata = {
      user-data = "#cloud-config\nusers:\n  - name: <username>\n    groups: sudo\n    shell: /bin/bash\n    sudo: 'ALL=(ALL) NOPASSWD:ALL'\n    ssh_authorized_keys:\n      - <SSH_key_contents>"
    }
    ...
    
  • Only for Linux VMs. Under ssh-keys, specify the username and the SSH key to access Linux VMs. Enter your username and the contents of your SSH key as follows:

    ...
    metadata = {
      ssh-keys = "<username>:<SSH_key_contents>"
    }
    ...
    

    If you are using an out-of-the-box public image from Yandex Cloud Marketplace, the specified username does not matter. The key will be assigned to the user specified in the cloud-init configuration by default. Such users vary depending on an image.

    If you do not know the default user, find the string containing Authorized keys from in the serial port output. It will contain the name of the user the authorized keys are assigned to.

    If you cannot find this string but you see the no authorized ssh keys fingerprints found for user string, it means you have provided your SSH key incorrectly. Check the format once again or try providing the SSH keys in the user-datafield.

In the API, specify the metadata in the metadata property as a JSON object, e.g.:

"metadata": {
  "ssh-keys": "ssh-ed25519 AAAAB3Nza... user@example.com",
  "serial-port-enable": "1"
}

For a line break, use \n.

Warning

All metadata, including user-defined metadata, is unencrypted. If the metadata contains sensitive information, make sure to protect it, e.g., through encryption.

Removing SSH keys from metadataRemoving SSH keys from metadata

Management console
CLI
API
  1. In the management console, select the folder this VM belongs to.
  2. From the list of services, select Compute Cloud.
  3. In the left-hand panel, select Virtual machines.
  4. In the VM row, click and select Edit.
  5. Expand the Metadata section and remove the keys by clicking .
  6. Click Save changes.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for removing metadata:

    yc compute instance remove-metadata --help
    
  2. Remove the keys:

    yc compute instance remove-metadata <VM_ID> --keys <SSH_key_name>
    

To remove SSH keys from the VM metadata, use the updateMetadata REST API method for the Instance resource or the InstanceService/UpdateMetadata gRPC API call.

In your request, provide the delete parameter with the SSH key.

REST API request example

curl \
  --request POST \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{"delete":["<SSH_key_name>"]}' \
  https://compute.api.cloud.yandex.net/compute/v1/instances/<VM_ID>/updateMetadata

Enabling access via OS LoginEnabling access via OS Login

To make sure users can connect to the VM via OS Login, enable this option in the VM settings:

Management console
CLI
API
  1. In the management console, select the folder this VM belongs to.
  2. From the list of services, select Compute Cloud.
  3. In the left-hand panel, select Virtual machines.
  4. In the VM row, click and select Edit.
  5. Under Access, select Access by OS Login.
  6. Click Save changes.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for updating VM parameters:

    yc compute instance update --help
    
  2. Get a list of VMs in the default folder:

    yc compute instance list
    

    Result:

    +----------------------+-----------------+---------------+---------+----------------------+
    |          ID          |       NAME      |    ZONE ID    | STATUS  |     DESCRIPTION      |
    +----------------------+-----------------+---------------+---------+----------------------+
    | fhm0b28lgfp4******** | first-instance  | ru-central1-a | RUNNING | my first vm via CLI  |
    | fhm9gk85nj7g******** | second-instance | ru-central1-a | RUNNING | my second vm via CLI |
    +----------------------+-----------------+---------------+---------+----------------------+
    
  3. Select ID or NAME of the VM, e.g., first-instance.

  4. Enable access via OS Login:

    yc compute instance update first-instance \
      --metadata enable-oslogin=true
    

Use the metadata field to provide enable-oslogin=true in the update REST API method for the Instance resource or in the InstanceService/Update gRPC API call.

Note

For users added via metadata:

  • After enabling access to a VM via OS Login, the keys specified in user-data and ssh-keys are removed from the metadata.
  • After disabling access to a VM via OS Login, the removed keys are recreated.

Was the article helpful?

Previous
Getting a VM instance identity document
Next
Creating a VM with a custom configuration script
Yandex project
© 2025 Yandex.Cloud LLC