Contact UsGet started

Enabling access via OS Login

Written by
Updated at May 5, 2025

Note

If OS Login access is enabled at the organization level, all new VMs created in this organization will get the OS_LOGIN value in the serial_port_settings.ssh_authorization field by default. If the OS Login access is disabled, the default value of this field will be INSTANCE_METADATA.

With OS Login, you can manage SSH access to VMs and individual nodes in node groups within Yandex Managed Service for Kubernetes clusters relying solely on the Yandex Identity and Access Management mechanisms. There is no need to upload SSH keys to each new VM or Kubernetes node when one is created. OS Login links the VM or Kubernetes node user account to a Yandex Cloud Organization account, i.e., an organization user account or service account.

Alert

A user with superuser permissions for a VM can retain access to it even if the roles are revoked. To prevent user access to a VM with old permissions, create a new VM from a clean image.

To create virtual machines or Kubernetes nodes with OS Login access, enable this feature at the organization level. To do this:

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

    Switch to an organization or federation of your choice as needed.

  2. In the left-hand panel, select Security settings.

  3. Enable the required operating modes:

    • Access via OS Login using SSH certificates (recommended).
      This mode allows you to connect to a VM or Kubernetes cluster node with an SSH certificate through the Yandex Cloud CLI or a standard SSH client.

    • Access via OS Login using SSH keys.
      This mode allows you to connect to a VM or Kubernetes cluster node through the Yandex Cloud CLI or a standard SSH client using an SSH key stored in the OS Login profile of a user or service account.

    • Allow members to use their own SSH keys.
      Allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs or Kubernetes cluster nodes.

      You can add a new SSH key to your profile in the management console when creating a VM or by following the guide titled Adding an SSH key.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to enable OS Login access at the organization level:

    yc organization-manager oslogin update-settings --help

  2. Get the ID of the required organization:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization-1   | My organization         |
| bpf2c65rqcl8******** | sample-organization-new | New organization        |
+----------------------+-------------------------+-------------------------+

  3. Enable access via OS Login for the selected organization:

    yc organization-manager oslogin update-settings \
  --organization-id <organization_ID> \
  --ssh-certificates-enabled \
  --ssh-user-keys-enabled \
  --allow-manage-own-keys

    Where:

    • --organization-id: Organization ID you got earlier.

    • --ssh-certificates-enabled: OS Login access using SSH certificates. This option allows you to connect to VMs or Kubernetes cluster nodes with an SSH certificate through the Yandex Cloud CLI or a standard SSH client.

      To disable this option, provide the false value in the --ssh-certificates-enabled=false parameter.

    • --ssh-user-keys-enabled: OS Login access using SSH keys. This option allows you to connect to VMs or Kubernetes cluster nodes via the Yandex Cloud CLI or a standard SSH client, using an SSH key stored in the OS Login profile of an organization user or service account.

      To disable this option, provide the false value in the --ssh-user-keys-enabled=false parameter.

    • --allow-manage-own-keys: Allow users to upload their own SSH keys. This option allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs and Kubernetes cluster nodes. To upload your own SSH keys, follow this guide.

      To disable this option, provide the false value in the --allow-manage-own-keys=false parameter.

    Result:

    user_ssh_key_settings:
  enabled: true
  allow_manage_own_keys: true
ssh_certificate_settings:
  enabled: true

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the configuration file, define the parameters of the resources you want to create:

    resource "yandex_organizationmanager_os_login_settings" "my_os_login_settings" {
  organization_id = "<organization_ID>"
  ssh_certificate_settings {
    enabled = true
  }
  user_ssh_key_settings {
    enabled               = true
    allow_manage_own_keys = true
  }
}

    Where:

    • organization_id: Organization ID. You can get the organization ID using the yc organization-manager organization list command in the Yandex Cloud CLI or through the Cloud Center interface.

    • ssh_certificate_settings: OS Login access using SSH certificates. This option allows you to connect to VMs or Kubernetes cluster nodes with an SSH certificate through the Yandex Cloud CLI or a standard SSH client. The enabled parameter may take either the true (option enabled) or false (option disabled) values.

    • user_ssh_key_settings: Section for managing access through user SSH keys.

      • enabled: OS Login access using SSH keys. This option allows you to connect to VMs or Kubernetes cluster nodes via the Yandex Cloud CLI or an SSH key stored in the profile of an organization user. It may take either the true (option enabled) or false (option disabled) values.

      • allow_manage_own_keys: Allow users to upload their own SSH keys. This option allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs and Kubernetes cluster nodes. To upload your own SSH keys, follow this guide. It may take either the true (option enabled) or false (option disabled) values.

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources.

    The organization settings will then be changed. To make sure OS Login access is enabled, run this Yandex Cloud CLI command by specifying the organization ID:

    yc organization-manager oslogin get-settings --organization-id <organization_ID>

    Result:

    user_ssh_key_settings:
  enabled: true
  allow_manage_own_keys: true
ssh_certificate_settings:
  enabled: true

Use the updateSettings REST API method for the OsLogin resource or the OsLoginService/UpdateSettings gRPC API call.

Note

The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.

See also

Previous
Enabling refresh tokens
Next
Creating an OS Login profile