Contact UsGet started

Creating an OS Login profile

Written by
Updated at May 5, 2025

By default, enabling the OS Login access creates OS Login profiles for all users within your organization and service accounts. A single user or service account in a Cloud Organization can have multiple OS Login profiles: different profiles allow you to connect to VMs or Kubernetes cluster nodes as different local users of those VMs or Kubernetes nodes.

Note

The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Cloud Organization.

To create an additional OS Login profile:

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

    Switch to an organization or federation of your choice as needed.

  2. In the left-hand panel, select Users.

  3. From the list, select the user you want to create an OS Login profile for.

    Use the filter or search as needed.

  4. On the user page, go to the OS Login Profiles tab and click Create profile. In the window that opens:

    1. Enter the OS username that will be assigned to the organization user or service account when connecting to the VM. It must be unique within the folder.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore. It must be from 1 to 32 characters long.

    2. In the ID (uid) field, enter a unique numeric user ID (UID) within the range from 1000 to 65534. It must be unique within the system.

    3. (Optional) In the Home directory field, enter the path to the user's home folder.

    4. (Optional) In the Default shell field, specify the path to the command shell executable file.

    5. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command for creating an OS Login profile:

    yc organization-manager oslogin profile create --help

  2. Get the ID of the required organization:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-----------------------+--------+
|          ID          |          NAME           |         TITLE         | LABELS |
+----------------------+-------------------------+-----------------------+--------+
| bpf1smsil5q0******** | sample-organization-1   | My organization       |        |
| bpf2c65rqcl8******** | sample-organization-new | New organization      |        |
+----------------------+-------------------------+-----------------------+--------+

  3. Get the required user ID by specifying the ID of the organization it belongs to:

    yc organization-manager user list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------+-------------------+---------------+-----------------------+
|          ID          | USERNAME |       EMAIL       | FEDERATION ID | LAST AUTHENTICATED AT |
+----------------------+----------+-------------------+---------------+-----------------------+
| rser11gh89el******** | user01   | user01@example.ru |               |                       |
| mber02hy54km******** | user02   | user02@example.ru |               |                       |
+----------------------+----------+-------------------+---------------+-----------------------+

    To create an OS Login profile for a service account, get the service account ID.

  4. Create an OS Login profile for the selected user or service account:

    yc organization-manager oslogin profile create \
  --organization-id <organization_ID> \
  --subject-id <user_or_service_account_ID> \
  --login <login> \
  --uid <numeric_ID> \
  --home-directory <path_to_home_folder> \
  --shell <path_to_command_shell_executable_file>

    Where:

    • --organization-id: Organization ID you got earlier.

    • --subject-id: User or service account ID you got earlier.

    • --login: OS username the user will get when connected to the VM. It must be unique within the folder.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore. It must be from 1 to 32 characters long.

    • --uid: Unique numeric user ID (UID) within the range from 1000 to 65534. It must be unique within the system.

    • --home-directory: Path to the user's home folder on the VM. This is an optional parameter. The default value is /home/<username>.

    • --shell: Path to the command shell executable file on the VM. This is an optional parameter. The default value is /bin/bash.

    Result:

    id: aje6ddct3de5********
organization_id: bpf1smsil5q0********
subject_id: rser11gh89el********
login: new-os-login
uid: "100500"
home_directory: home/username
shell: bin/bash

Use the createProfile REST API method for the OsLogin resource or the OsLoginService/CreateProfile gRPC API call.

You can only create an OS Login service account profile using the Yandex Cloud CLI or API.

Note

If you set the UID manually, use values in the range from 1000 to 65534. Using this range will prevent collisions between the OS Login profile UID and those of OS system profiles.

See also

Previous
Enabling access via OS Login
Next
Overview