Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Compute Cloud
    • All tutorials
      • Connecting to a VM over SSH
      • Exchanging files with VMs
      • Connecting to a VM via RDP
      • Connecting to a VM via PowerShell
        • Creating a VM with OS Login support
        • Configuring OS Login on an existing VM
        • Exporting an SSH certificate
        • Connecting to a VM via OS Login
      • Using Yandex Cloud from within a VM
      • Installing NVIDIA drivers
      • Recovering access to a VM
    • Viewing operations with resources
  • Yandex Container Solution
  • Access management
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  1. Step-by-step guides
  2. Using a VM
  3. OS Login
  4. Creating a VM with OS Login support

Creating a VM with OS Login

Written by
Yandex Cloud
Updated at May 13, 2025

With OS Login, you can provide users and service accounts access to VMs relying solely on the Yandex Identity and Access Management mechanisms. There is no need to upload SSH keys to each new VM when creating it.

Tip

To create VMs with OS Login access and connect to such VMs, enable OS Login at the Yandex Cloud organization level first.

For connection to a virtual machine or Kubernetes node with OS Login access enabled, assign the compute.osLogin or compute.osAdminLogin role to the user or service account. When connecting using the Yandex Cloud CLI, you additionally need the compute.operator role.

You can use either the CLI or a standard SSH client to connect to VMs with OS Login access enabled. The connection can be established using an SSH certificate or SSH key, which first needs to be added to the Yandex Cloud Organization user's or service account's OS Login profile.

Note

We recommend creating a local user on the new VM and providing a separate SSH key for that user: this way you will still be able to connect to the VM via SSH even if you disable the OS Login access for it. You can create a local user and provide an SSH key for them using metadata:

For users added via metadata:

  • After enabling access to a VM via OS Login, the keys specified in user-data and ssh-keys are removed from the metadata.
  • After disabling access to a VM via OS Login, the removed keys are recreated.

To create a VM with OS Login:

Management console
CLI
Terraform
API
  1. Enable access via OS Login at the organization level.

  2. Create a VM from a pre-built image with OS Login access support. Such images are available on Yandex Cloud Marketplace.

    When creating a VM, select Access under Access by OS Login. If this option is not available, the selected image does not support OS Login access.

    To be able to connect to the VM via SSH without OS Login, update the VM settings and select Access under SSH key.

  1. Enable access via OS Login at the organization level.

  2. Create a VM from a pre-built image with OS Login access support.

    When creating a VM, specify this parameter for access via OS Login:

    --metadata enable-oslogin=true
    
  1. Enable access via OS Login at the organization level.

  2. Create a VM from a pre-built image with OS Login access support.

    When creating a VM for the yandex_compute_instance resource, specify the following parameter in the metadata parameter section to enable access via OS Login:

    metadata = {
      enable-oslogin = true
    }
    
  1. Enable access via OS Login at the organization level.

  2. Create a VM using the create REST API method for the Instance resource from a public image with OS Login access support:

    When creating the VM, provide enable-oslogin=true in the metadata field.

After the created VM changes its status to Running, you will be able to connect to it via OS Login.

Was the article helpful?

Previous
Connecting to a VM via PowerShell
Next
Configuring OS Login on an existing VM
© 2025 Direct Cursus Technology L.L.C.