Contact UsGet started

Enabling access via OS Login

Written by
Updated at November 20, 2024

OS Login access allows you to connect to VMs and Kubernetes cluster nodes with an SSH key or SSH certificate using the YC CLI or a standard SSH client. If you are connecting with an SSH key, you need to add the public SSH key to the organization user profile in Yandex Cloud Organization first.

To create virtual machines or Kubernetes nodes with OS Login access, enable this feature at the organization level. This will allow you to enable OS Login access for VMs created from a ready-made image with OS Login support or configure the OS Login agent on an already running VM. For more information about connecting via OS Login, see Connecting to a virtual machine via OS Login.

Note

Images with OS Login support are available on Yandex Cloud Marketplace. VMs created from such images will have Access by OS Login enabled in the VM creation and editing form under Access in the management console. If this option is disabled, the selected image does not support OS Login access.

To enable OS Login access at the organization level:

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

    Switch to an organization or federation of your choice as needed.

  2. In the left-hand panel, select Security settings.

  3. Enable the required access options:

    • Access via OS Login using SSH certificates (recommended).
      This option allows you to connect to a VM or Kubernetes cluster node with an OS Login certificate via the YC CLI or a standard SSH client.

    • Access via OS Login using SSH keys.
      This option allows you to connect to a VM or Kubernetes cluster node via the YC CLI or a standard SSH client with an SSH key stored in the OS Login profile of a user or service account.

    • Allow members to use their own SSH keys.
      The option is available if OS Login access with SSH keys is enabled.
      It allows users to upload public SSH keys to their profile to connect to VMs or Kubernetes cluster nodes on their own. To upload your own SSH keys, follow this guide.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to enable OS Login access at the organization level:

    yc organization-manager oslogin update-settings --help

  2. Get the ID of the required organization:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization-1   | My organization         |
| bpf2c65rqcl8******** | sample-organization-new | New organization        |
+----------------------+-------------------------+-------------------------+

  3. Enable OS Login access for the selected organization:

    yc organization-manager oslogin update-settings \
  --organization-id <organization_ID> \
  --ssh-certificates-enabled \
  --ssh-user-keys-enabled \
  --allow-manage-own-keys

    Where:

    • --organization-id: Organization ID you got earlier.

    • --ssh-certificates-enabled: Access via OS Login using SSH certificates. This option allows you to connect to a VM with an OS Login certificate via the YC CLI or a standard SSH client.

      To disable this option, provide the false value in the --ssh-certificates-enabled=false parameter.

    • --ssh-user-keys-enabled: Access via OS Login using SSH keys. This option allows you to connect to a VM via the YC CLI or a standard SSH client with an SSH key stored in the OS Login profile of an organization user.

      To disable this option, provide the false value in the --ssh-user-keys-enabled=false parameter.

    • --allow-manage-own-keys: Allow users to upload their own SSH keys. This option allows users to upload public SSH keys to their profile to connect to VMs on their own. To upload your own SSH keys, follow this guide. The option is available if OS Login access with SSH keys is enabled.

      To disable this option, provide the false value in the --allow-manage-own-keys=false parameter.

    Result:

    user_ssh_key_settings:
  enabled: true
  allow_manage_own_keys: true
ssh_certificate_settings:
  enabled: true

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. In the configuration file, describe the parameters of the resources you want to create:

    resource "yandex_organizationmanager_os_login_settings" "my_os_login_settings" {
  organization_id = "<organization_ID>"
  ssh_certificate_settings {
    enabled = true
  }
  user_ssh_key_settings {
    enabled               = true
    allow_manage_own_keys = true
  }
}

    Where:

    • organization_id: Organization ID. You can get the organization ID using the YC CLI yc organization-manager organization list command or in the management console.

    • ssh_certificate_settings: Access via OS Login using SSH certificates. This option allows you to connect to a VM with an OS Login certificate via the YC CLI or a standard SSH client. The enabled parameter may take either the true (option enabled) or false (option disabled) values.

    • user_ssh_key_settings: Section for managing access through user SSH keys.

      • enabled: Access via OS Login using SSH keys. This option allows you to connect to a VM via the YC CLI with an SSH key stored in an organization user profile. It may take either the true (option enabled) or false (option disabled) values.

      • allow_manage_own_keys: Allow users to upload their own SSH keys. This option allows users to upload public SSH keys to their profile to connect to VMs on their own. To upload your own SSH keys, follow this guide. The option is available if OS Login access with SSH keys is enabled. It may take either the true (option enabled) or false (option disabled) values.

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm that you want to create the resources.

    The organization settings will then be changed. To make sure the OS Login access is enabled, run the YC CLI command, specifying the organization ID:

    yc organization-manager oslogin get-settings --organization-id <organization_ID>

    Result:

    user_ssh_key_settings:
  enabled: true
  allow_manage_own_keys: true
ssh_certificate_settings:
  enabled: true

Use the updateSettings REST API method for the OsLogin resource or the OsLoginService/UpdateSettings gRPC API call.

See also

Previous
Configuring user group mapping for your federation
Next
Creating an OS Login profile