Using a service account with an OS Login profile for VM management via Ansible
To manage virtual machines via Ansible
In addition, with this configuration you can temporarily elevate the privileges of this account by assigning additional roles to the service account. For example, to use the become
directive in Ansible tasks, you will have to temporarily assign the compute.osAdminLogin
role to the service account.
To configure a service account for VM management via Ansible:
- Prepare your cloud.
- Create a service account with an SSH key in the OS Login profile.
- Configure Ansible to run on behalf of a service account.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Prepare the environment
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Create a virtual machine from a public image with OS Login access enabled, e.g., Ubuntu 22.04 LTS OS Login.
-
In your organization settings, enable OS Login access using SSH keys.
-
Install
Ansible.
Required paid resources
The cost of supporting the infrastructure created in the guide includes:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using a public IP address (see Yandex Virtual Private Cloud pricing).
Create a service account with an SSH key in the OS Login profile
-
Create a service account named
my-ansible-sa
and assign it thecompute.osLogin
role. -
Create an SSH keys pair of the
ed25519
type that the service account will use to connect to virtual machines:ssh-keygen \ -t ed25519 \ -f <path>/id_yc-sa-my-ansible-sa
Where
-f
is the name of the SSH key being created and the path to the directory where the files with the private and public parts of the key will be saved. For example,-f /home/user/ansible-key/id_yc-sa-my-ansible-sa
.As a result, two SSH key files will be created in the specified directory:
id_yc-sa-my-ansible-sa
andid_yc-sa-my-ansible-sa.pub
. -
Add the new SSH key to the OS Login profile of the
my-ansible-sa
service account:CLIyc organization-manager oslogin user-ssh-key create \ --name <key_name> \ --organization-id <organization_ID> \ --subject-id <service_account_ID> \ --data "<public_SSH_key>" \ --expires-at <key_expiration_date>
Where:
-
--name
: Uploaded key name, e.g.,ssh-my-ansible-sa
. -
--organization-id
: ID of the organization themy-ansible-sa
service account belongs to. -
--subject-id
: ID of the service account to whose profile you are adding the SSH key. -
--data
: Contents of the file with the public part of the SSH key (id_yc-sa-my-ansible-sa.pub
). -
--expires-at
: Uploaded key expiration date. This is an optional parameter. If the parameter is not set, the key will have no expiration date.You can specify the value in two formats:
- Key expiration date in ISO 8601
format, e.g.,YYYY-MM-DDT00:00:00Z
. - Key validity period in hours and minutes, e.g.,
1h
or3h30m
.
- Key expiration date in ISO 8601
Result:
id: bpfejaidgt9u******** subject_id: ajeqdl8mdv12******** data: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOra4Rg9OpwS5cozMHDGpdp6ug/jYUnWtTFD******** name: ssh-my-ansible-sa fingerprint: SHA256:gkEtFdaTmT7PK4/fCrZqnSjFDBsvLeNfkAR******** organization_id: bpfaidqca8vd******** created_at: "2024-06-21T10:10:11.946355750Z" expires_at: "2024-06-21T20:10:11.380653492Z"
For more information about the
yc organization-manager oslogin user-ssh-key create
command, see the CLI reference.Tip
For security purposes, it is recommended to rotate SSH keys from time to time. It is not safe to use an SSH key with unlimited validity period.
-
-
Check if you can log in to the VM using the service account's OS Login profile:
ssh yc-sa-my-ansible-sa@<VM_IP_address> -i <path_to_private_SSH_key>
Where:
<VM_IP_address>
: Public IP address of the VM with enabled OS Login access.<path_to_private_SSH_key>
: Path to the file containing the private part of the previously created SSH key, e.g.,/home/user/ansible-key/id_yc-sa-my-ansible-sa
.
Configure Ansible to run on behalf of a service account
Make sure Ansible can connect to the virtual machine on behalf of the new service account. To do this, create an inventory file and test it using the ansible.builtin.ping
module:
-
Create the
inventory.ini
file with theyc
group:[yc:vars] ansible_connection=ssh ansible_user=yc-sa-my-ansible-sa ansible_ssh_private_key_file=<path_to_private_SSH_key> [yc] <VM_IP_address>
Where:
<path_to_private_SSH_key>
: Path to the file containing the private part of the previously created SSH key, e.g.,/home/user/ansible-key/id_yc-sa-my-ansible-sa
.<VM_IP_address>
: Public IP address of the VM with enabled OS Login access.
-
Run Ansible with the
ansible.builtin.ping
module:ansible -i inventory.ini -m ping yc
Result:
158.160.**.*** | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python3" }, "changed": false, "ping": "pong" }
Connection to the VM is established. You can now manage virtual machines via Ansible on behalf of a service account with an OS Login profile and an SSH key with a limited validity period.
How to delete the resources you created
To stop paying for the resources you created: