Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Connecting to a virtual machine via OS Login

Written by
Updated at October 30, 2024

OS Login is used to provide users and service accounts with SSH access to VMs via SSH using IAM.

Getting started

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Create a new virtual machine with OS Login support or set up access via OS Login for an existing VM as needed.

Note

Required roles:

To connect to a virtual machine or Kubernetes node with OS Login access enabled via the YC CLI, the user or service account under which you will run the YC CLI command needs the compute.osLogin or compute.osAdminLogin role, as well as the compute.operator role.

To connect to a virtual machine or Kubernetes node with OS Login access enabled via a standard SSH client, the user or service account used for connection needs the compute.osLogin or compute.osAdminLogin role.

Connecting using a standard SSH client

To connect to a VM with OS Login access enabled, you can use a standard SSH client and provide either the SSH key saved in the user or service account OS Login profile or a short-lived SSH certificate you export for a user or service account.

To connect to a VM instance via OS Login with an SSH key using a standard SSH client:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login using an SSH certificate, enable Access via OS Login using SSH keys.

    To add an SSH key to an organization user profile, enable Allow members to use their own SSH keys.

  2. Create an SSH key pair and add the public key to the OS Login profile of a user or service account. Remember where your private key is stored, as you will need it to connect to a VM.

  3. Get the ID of the organization which contains the required OS Login profile of a user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of logins in the OS Login profiles of an organization's users and service accounts by specifying its ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

    Save the public IP address (the EXTERNAL IP value) of the VM you want to connect to.

  6. Connect to the VM:

    ssh -i <path_to_private_SSH_key_file> \
  -l <user_or_service_account_login> <VM_public_IP_address>

    Where:

    • <path_to_private_SSH_key_file>: Path to the file containing the private SSH key, e.g., /home/user1/.ssh/id_ed25519.
    • <user_or_service_account_login>: Previously obtained user or service account login, as set in the OS Login profile.
    • <VM_public_IP_address>: VM public IP address you saved earlier.

    You can also see the command for VM connection in the management console. On the Overview page of the VM you need, under Connect to VM, expand the Connect via SSH client section and select the SSH key tab.

    If this is your first time connecting to the VM, you will see an unknown host warning:

    The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

    Type yes in the terminal and press Enter.

To connect to a VM via OS Login with an SSH certificate using a standard SSH client:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login using an SSH certificate, enable Access via OS Login using SSH certificates (recommended).

  2. Export the SSH certificate to your local computer.

  3. Get the ID of the organization which contains the required OS Login profile of a user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of logins in the OS Login profiles of an organization's users and service accounts by specifying its ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

    Save the public IP address (the EXTERNAL IP value) of the VM you want to connect to.

  6. Connect to the VM:

    ssh -i <certificate_file_path> \
  -l <user_or_service_account_login> <VM_public_IP_address>

    Where:

    • <certificate_file_path>: Path to the certificate’s Identity file you exported previously, e.g., /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername.
    • <user_or_service_account_login>: Previously obtained user or service account login, as set in the OS Login profile.
    • <VM_public_IP_address>: VM public IP address you saved earlier.

    You can also see the command for VM connection in the management console. On the Overview page of the VM you need, under Connect to VM, expand the Connect via SSH client section and select the Certificate tab.

    If this is your first time connecting to the VM, you will see an unknown host warning:

    The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

    Type yes in the terminal and press Enter.

Note

The certificate is valid for one hour. After this time has elapsed, you will need to export a new certificate to connect to the VM.

You will connect to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM's operating system.

Connecting using the YC CLI

To connect to a VM with OS Login access enabled, you can use the YC CLI and provide either the SSH key saved in the user or service account OS Login profile or SSH certificate of a user or service account.

To connect to a VM instance via OS Login with an SSH key using the YC CLI:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login using an SSH certificate, enable Access via OS Login using SSH keys.

    To add an SSH key to an organization user profile, enable Allow members to use their own SSH keys.

  2. Create an SSH key pair and add the public key to the OS Login profile of a user or service account. Remember where your private key is stored, as you will need it to connect to a VM.

  3. View the description of the CLI command to connect to a VM:

    yc compute ssh --help

  4. Get the ID of the organization which contains the required OS Login profile of a user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  5. Get a list of logins in the OS Login profiles of an organization's users and service accounts by specifying its ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

  6. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

  7. Connect to the VM:

    yc compute ssh \
  --name <VM_name> \
  --identity-file <path_to_private_SSH_key_file> \
  --login <user_or_service_account_login> \
  --internal-address

    Where:

    • --name: Previously obtained VM name. You can specify the VM ID instead of its name by using the --id parameter.
    • --identity-file: Path to a private SSH key file, e.g., /home/user1/.ssh/id_ed25519.
    • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If this parameter is not specified, the connection will use the SSH certificate of the user or service account currently authorized in the YC CLI profile.
    • (Optional) --internal-address: To connect using an internal IP address.

    You can also see the command for VM connection in the management console. On the Overview page of the VM you need, under Connect to VM, expand the Connect via the Yandex Cloud CLI interface section and select the SSH key tab.

To connect to a VM via OS Login with an SSH certificate using the YC CLI:

  1. Enable access via OS Login at the organization level.

    To connect to a VM via OS Login using an SSH certificate, enable Access via OS Login using SSH certificates (recommended).

  2. View the description of the CLI command to connect to a VM:

    yc compute ssh --help

  3. Get the ID of the organization which contains the required OS Login profile of a user or service account:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization1    | Organization 1          |
| bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
| bpf6dne49ue8******** | sample-organization3    | Organization 3          |
+----------------------+-------------------------+-------------------------+

  4. Get a list of logins in the OS Login profiles of an organization's users and service accounts by specifying its ID:

    yc organization-manager os-login profile list \
  --organization-id <organization_ID>

    Result:

    +----------------------+----------------------+-----------+----------------------+----------------------+------------+
|          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+
| aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
| ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
| ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
+----------------------+----------------------+-----------+----------------------+----------------------+------------+

    Save the LOGIN field value for the required user or service account: you will need it later.

  5. Get a list of all VMs in the default folder:

    yc compute instance list

    Result:

    +----------------------+-----------------+---------------+---------+---------------+--------------+
|          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
+----------------------+-----------------+---------------+---------+---------------+--------------+
| fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
| fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
+----------------------+-----------------+---------------+---------+---------------+--------------+

  6. Connect to the VM:

    yc compute ssh \
  --name <VM_name>
  --login <user_or_service_account_login>
  --internal-address

    Where:

    • --name: Previously obtained VM name. You can specify the VM ID instead of its name by using the --id parameter.
    • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If this parameter is not specified, the connection will use the SSH certificate of the user or service account currently authorized in the YC CLI profile.
    • (Optional) --internal-address: To connect using an internal IP address.

    You can also see the command for VM connection in the management console. On the Overview page of the VM you need, under Connect to VM, expand the Connect via the Yandex Cloud CLI interface section and select the Certificate tab.

You will connect to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM's operating system.

See also

Previous
Exporting an SSH certificate
Next
Working with Yandex Cloud from inside a VM