Enabling access via OS Login
Note
If OS Login access is enabled at the organization level, all new VMs created in this organization will get the OS_LOGIN
value in the serial_port_settings.ssh_authorization
field by default. If the OS Login access is disabled, the default value of this field will be INSTANCE_METADATA
.
With OS Login, you can manage SSH access to VMs and individual nodes in node groups within Yandex Managed Service for Kubernetes clusters relying solely on the Yandex Identity and Access Management mechanisms. There is no need to upload SSH keys to each new VM or Kubernetes node when one is created. OS Login links the VM or Kubernetes node user account to a Yandex Cloud Organization account, i.e., an organization user account or service account.
Alert
A user with superuser
To create virtual machines or Kubernetes nodes with OS Login access, enable this feature at the organization level. To do this:
-
Log in to Yandex Cloud Organization
using an administrator or organization owner account.Switch to an organization or federation of your choice as needed.
-
In the left-hand panel, select
Security settings. -
Enable the required operating modes:
-
Access via OS Login using SSH certificates (recommended).
This mode allows you to connect to a VM or Kubernetes cluster node with an SSH certificate through the Yandex Cloud CLI or a standard SSH client. -
Access via OS Login using SSH keys.
This mode allows you to connect to a VM or Kubernetes cluster node through the Yandex Cloud CLI or a standard SSH client using an SSH key stored in the OS Login profile of a user or service account. -
Allow members to use their own SSH keys.
Allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs or Kubernetes cluster nodes.You can add a new SSH key to your profile in the management console when creating a VM or by following the guide titled Adding an SSH key.
-
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name
or --folder-id
parameter.
-
View the description of the CLI command to enable OS Login access at the organization level:
yc organization-manager oslogin update-settings --help
-
Get the ID of the required organization:
yc organization-manager organization list
Result:
+----------------------+-------------------------+-------------------------+ | ID | NAME | TITLE | +----------------------+-------------------------+-------------------------+ | bpf1smsil5q0******** | sample-organization-1 | My organization | | bpf2c65rqcl8******** | sample-organization-new | New organization | +----------------------+-------------------------+-------------------------+
-
Enable access via OS Login for the selected organization:
yc organization-manager oslogin update-settings \ --organization-id <organization_ID> \ --ssh-certificates-enabled \ --ssh-user-keys-enabled \ --allow-manage-own-keys
Where:
-
--organization-id
: Organization ID you got earlier. -
--ssh-certificates-enabled
: OS Login access using SSH certificates. This option allows you to connect to VMs or Kubernetes cluster nodes with an SSH certificate through the Yandex Cloud CLI or a standard SSH client.To disable this option, provide the
false
value in the--ssh-certificates-enabled=false
parameter. -
--ssh-user-keys-enabled
: OS Login access using SSH keys. This option allows you to connect to VMs or Kubernetes cluster nodes via the Yandex Cloud CLI or a standard SSH client, using an SSH key stored in the OS Login profile of an organization user or service account.To disable this option, provide the
false
value in the--ssh-user-keys-enabled=false
parameter. -
--allow-manage-own-keys
: Allow users to upload their own SSH keys. This option allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs and Kubernetes cluster nodes. To upload your own SSH keys, follow this guide.To disable this option, provide the
false
value in the--allow-manage-own-keys=false
parameter.
Result:
user_ssh_key_settings: enabled: true allow_manage_own_keys: true ssh_certificate_settings: enabled: true
-
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, define the parameters of the resources you want to create:
resource "yandex_organizationmanager_os_login_settings" "my_os_login_settings" { organization_id = "<organization_ID>" ssh_certificate_settings { enabled = true } user_ssh_key_settings { enabled = true allow_manage_own_keys = true } }
Where:
-
organization_id
: Organization ID. You can get the organization ID using theyc organization-manager organization list
command in the Yandex Cloud CLI or through the Cloud Center interface . -
ssh_certificate_settings
: OS Login access using SSH certificates. This option allows you to connect to VMs or Kubernetes cluster nodes with an SSH certificate through the Yandex Cloud CLI or a standard SSH client. Theenabled
parameter may take either thetrue
(option enabled) orfalse
(option disabled) values. -
user_ssh_key_settings
: Section for managing access through user SSH keys.-
enabled
: OS Login access using SSH keys. This option allows you to connect to VMs or Kubernetes cluster nodes via the Yandex Cloud CLI or an SSH key stored in the profile of an organization user. It may take either thetrue
(option enabled) orfalse
(option disabled) values. -
allow_manage_own_keys
: Allow users to upload their own SSH keys. This option allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs and Kubernetes cluster nodes. To upload your own SSH keys, follow this guide. It may take either thetrue
(option enabled) orfalse
(option disabled) values.
-
For more information about the resources you can create with Terraform, see the provider documentation
. -
-
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources.
The organization settings will then be changed. To make sure OS Login access is enabled, run this Yandex Cloud CLI command by specifying the organization ID:
yc organization-manager oslogin get-settings --organization-id <organization_ID>
Result:
user_ssh_key_settings: enabled: true allow_manage_own_keys: true ssh_certificate_settings: enabled: true
-
Use the updateSettings REST API method for the OsLogin resource or the OsLoginService/UpdateSettings gRPC API call.
Note
The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer
role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.