Exporting an SSH certificate

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

1. See the description of the CLI command for exporting an SSH certificate to a local directory:

   yc compute ssh certificate export --help
   

2. Get the ID of the organization containing the required OS Login profile of the user or service account:

   yc organization-manager organization list
   

   Result:

   +----------------------+-------------------------+-------------------------+
   |          ID          |          NAME           |          TITLE          |
   +----------------------+-------------------------+-------------------------+
   | bpf1smsil5q0******** | sample-organization1    | Organization 1          |
   | bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
   | bpf6dne49ue8******** | sample-organization3    | Organization 3          |
   +----------------------+-------------------------+-------------------------+
   

3. Get a list of OS Login profile logins of your organization's users and service accounts by specifying the organization ID:

   yc organization-manager os-login profile list \
     --organization-id <organization_ID>
   

   Result:

   +----------------------+----------------------+-----------+----------------------+----------------------+------------+
   |          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
   +----------------------+----------------------+-----------+----------------------+----------------------+------------+
   | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
   | ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
   | ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
   +----------------------+----------------------+-----------+----------------------+----------------------+------------+
   

   Save the LOGIN field value for the required user or service account: you will need it later.

   Note

   To view the list of OS Login profiles, a user must have the organization-manager.osLogins.viewer role or higher for the organization.

4. Export the certificate:

   yc compute ssh certificate export \
       --login <user_or_service_account_login> \
       --organization-id <organization_ID> \
       --directory <path_to_directory>
   

   Where:

   • --login: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If you do not set this parameter, you will export the SSH certificate of the user or service account currently authorized in the YC CLI profile.
   • --organization-id: Previously obtained ID of the organization to export the SSH certificate from. This is an optional parameter. If the parameter is not set, the certificate will be exported from the organization the default folder belongs to.
   • --directory: Path to the local directory to save the exported SSH certificate to. This is an optional parameter. If not specified, the certificate will be saved by default to the .ssh home directory of the current PC user (~/.ssh/).

   Result:

   Identity: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-<username_in_OS_Login_profile>
   Certificate: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-<username_in_OS_Login_profile>-cert.pub
   

   If you save the exported certificate to a directory different from the default one, make sure that only the current user can access the certificate files saved. If you need to, update the user permissions using the chmod command on Linux and macOS or on the Security tab in Windows Explorer's file properties.