OS Login
OS Login is a convenient way to manage connections to VMs and Yandex Managed Service for Kubernetes cluster nodes via SSH through the YC CLI or via a standard SSH client with an SSH certificate or SSH key, which you first need to add to organization user or service account profile in Yandex Cloud Organization.
The OS Login agent is based on the guest agent for Google Compute Engine. To monitor the changes introduced by the Yandex Cloud team, see the project's repository on GitHub.
OS Login links the account of a VM or Kubernetes node user with the account of an organization user. To manage access to virtual machines and nodes, enable the OS Login access option at the organization level and then activate OS Login access on each virtual machine or Kubernetes node separately.
This way you can easily manage access to virtual machines and Kubernetes nodes by assigning appropriate roles to users. If you revoke the roles, the user will lose access to all virtual machines and Kubernetes nodes where OS Login access is enabled.
OS Login profiles
For each user and service account in an organization, you can create OS Login profiles containing the name (login) and ID (UID) of the user or service account, which help to identify them in the operating systems of your VMs and Kubernetes cluster nodes.
Enabling OS Login access for an organization automatically creates default OS Login profiles for all user and service accounts in that organization. Also, you can create additional OS Login profiles or edit the existing ones.
Username (login) for an account in the default OS Login profile depends on the account type:
- For a user account, login will be the same as the username in the organization.
- For a service account, login will be its name prefixed by
yc-sa-, e.g.,yc-sa-my-robotwill be the login formy-robot.
You can manage user OS Login profiles via the Cloud Center interface as well as the Yandex Cloud CLI and API. To manage OS Login profiles for service accounts, you can only use the CLI or API.
Note
To view the list of OS Login profiles, a user must have the organization-manager.osLogins.viewer role or higher for the organization.
Connecting via OS Login
Users or third-party tools, such as Terraform or Ansible, can use a standard SSH client to connect to a VM and Kubernetes nodes with enabled OS Login access using SSH certificates or SSH keys.
To connect a VM or Kubernetes node with enabled OS Login access via a standard SSH client with an SSH certificate, you need to export the OS Login certificate and use it when connecting. The certificate is valid for one hour. After this time has elapsed, you will need to export a new certificate to connect to the VM or Kubernetes node.
To connect to a VM instance or Kubernetes node with enabled OS Login access via the YC CLI or a standard SSH client with an SSH key, you need to create an SSH key pair and add the public SSH key to the organization user profile in Cloud Organization. You can also add an SSH key to the service account profile and use that service account to connect to a VM via OS Login.
Note
Roles required to connect to a VM via OS Login:
To connect to a VM or Kubernetes node with enabled OS Login access via the YC CLI, assign the compute.osLogin or compute.osAdminLogin role as well as the compute.operator role to the user or service account running the YC CLI command.
To connect to a virtual machine or Kubernetes node with OS Login access enabled via a standard SSH client, assign the compute.osLogin or compute.osAdminLogin role to the connecting user or service account.
OS Login benefits:
- Instant update of access permissions when revoking or granting roles.
- Access using short-lived SSH certificates.
- Access using SSH keys.
- Restoring access to VMs and Kubernetes cluster nodes if you lose your SSH keys (in case you use regular SSH keys instead of OS Login).
- Uploading your own SSH keys to your profile.