Contact UsGet started

Adding an SSH key

Written by
Updated at May 13, 2025

Upload SSH keys to the Cloud Organization profile of an organization user or service account so that the user or service account can use these to connect to VMs, Kubernetes cluster nodes, and Yandex BareMetal servers.

Create a new SSH key pair before you begin this tutorial, if you need to.

To add a public SSH key to a profile:

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

    Switch to an organization or federation of your choice as needed.

  2. In the left-hand panel, select Users.

  3. From the list, select the user to whose profile you want to add an SSH key.

    Use the filter or search as needed.

  4. Navigate to the SSH keys tab and click Add key. In the window that opens:

    1. Name the SSH key you are adding.

    2. Enter the public SSH key manually or upload it from a file.

    3. Specify the validity period for the key.

    4. Click Add.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for uploading an SSH key to a user or service account profile:

    yc organization-manager oslogin user-ssh-key create --help

  2. Get the ID of the required organization:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization-1   | My organization         |
| bpf2c65rqcl8******** | sample-organization-new | New organization        |
+----------------------+-------------------------+-------------------------+

  3. Get the required user ID by specifying the organization ID you got earlier:

    yc organization-manager user list \
  --organization-id <organization_ID>

    Result:

    +----------------------+-----------------------+---------------------------------+----------------------+
|          ID          |       USERNAME        |              EMAIL              |    FEDERATION ID     |
+----------------------+-----------------------+---------------------------------+----------------------+
| aje5qd0po0nj******** | sample-user-1         | sample-user-1@yandex.ru         |                      |
| ajee30kevjjf******** | sample-user-2         | sample-user-2@yandex.ru         |                      |
| ajeeg4ju49h6******** | sample-user-3         | sample-user-3@yandex.ru         | bpfbl7q3mjbr******** |
| ajei280a73vc******** | sample-user-4         | sample-user-4@yandex.ru         |                      |
+----------------------+-----------------------+---------------------------------+----------------------+

    To add an SSH key to a service account profile, get the ID of the appropriate service account.

  4. Upload the SSH key to your user or service account profile:

    yc organization-manager oslogin user-ssh-key create \
  --organization-id <organization_ID> \
  --name "<key_name>" \
  --subject-id <user_or_service_account_ID> \
  --data "<public_SSH_key>" \
  --expires-at <key_expiration_date>

    Where:

    • --organization-id: Organization ID you got earlier.

    • --name: Uploaded key name.

    • --subject-id: Previously obtained ID of the user or service account to whose profile you are adding the SSH key.

    • --data: Contents of a public SSH key.

    • --expires-at: Uploaded key expiration date. This is an optional parameter. It allows you to set any expiration date for the uploaded key. You can specify the value in two formats:

      • Key expiration date in ISO 8601 format, e.g., YYYY-MM-DDT00:00:00Z.
      • Key validity period in hours and minutes, e.g., 1h or 3h30m.

    Result:

    id: bpfrtmgobqvc********
subject_id: ajei280a73vc********
data: ssh-ed25519 AAAAC3Nza_YOUR_PUBLIC_SSH_KEY_Ejal+P1sRgYA3T
name: My Key
fingerprint: SHA256:EJQdhwWDFj4TebYQzx9CmKZHr53rNN59u0W********
organization_id: bpf2c65rqcl8********
created_at: "2024-03-12T17:42:31.339022059Z"
expires_at: "2024-03-12T21:12:31.176467230Z"

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the configuration file, describe the resources you want to create:

    resource "yandex_organizationmanager_user_ssh_key" "my_user_ssh_key" {
  organization_id = "<organization_ID>"
  subject_id      = "<user_ID>"
  data            = "<public_SSH_key>"
  name            = "<key_name>"
  expires_at      = "<key_expiration_date>"
}

    Where:

    • organization_id: Organization ID.
    • subject_id: ID of the user or service account to whose profile you are adding the SSH key.
    • data: Contents of a public SSH key.
    • name: Uploaded key name.
    • expires_at: Uploaded key expiration date. This is an optional parameter. It allows you to set any expiration time and date for the uploaded key. The value is set in ISO 8601 format, e.g., YYYY-MM-DDT00:00:00Z.

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources.

    The SSH key will then be uploaded to the user profile. To make sure the SSH key is added, run this CLI command by specifying the organization ID:

    yc organization-manager oslogin user-ssh-key list --organization-id <organization_ID>

    Result:

    +----------------------+--------+----------------------+----------------------+----------------------------------------------------+---------------------+---------------------+
|          ID          |  NAME  |   ORGANIZATION ID    |      SUBJECT ID      |                    FINGERPRINT                     |     CREATED AT      |     EXPIRES AT      |
+----------------------+--------+----------------------+----------------------+----------------------------------------------------+---------------------+---------------------+
| bpf6big3s4h0******** | My key | bpf2c65rqcl8******** | ajei280a73vc******** | SHA256:EJQdhwWDFj4TebYQzx9CmKZHr53rNN59u0W******** | 2024-03-12 18:48:17 | 2024-03-12 21:12:31 |
+----------------------+--------+----------------------+----------------------+----------------------------------------------------+---------------------+---------------------+

Use the create REST API method for the UserSshKey resource or the UserSshKeyService/Create gRPC API call.

You can only add an SSH key to a service account profile using the CLI, Terraform, or API.

To allow users to upload SSH keys to their own profiles, enable the Allow members to use their own SSH keys option.

See also

Previous
Renewing a Yandex Cloud SAML certificate
Next
Enabling refresh tokens