Exporting an SSH certificate
You can use an SSH certificate of an organization user or service account to enable a user or a third-party tool, such as Terraform or Ansible, to use SSH to connect to a VM with enabled OS Login access. To do this, locally export an SSH certificate and use it to access the VM via a standard SSH client. The exported certificate is valid for one hour.
To export a SSH certificate of a user of the Cloud Organization organization or a service account to a local PC:
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
-
See the description of the CLI command for exporting an SSH certificate to a local directory:
yc compute ssh certificate export --help -
Get the ID of the organization which contains the required OS Login profile of a user or service account:
yc organization-manager organization listResult:
+----------------------+-------------------------+-------------------------+ | ID | NAME | TITLE | +----------------------+-------------------------+-------------------------+ | bpf1smsil5q0******** | sample-organization1 | Organization 1 | | bpf2c65rqcl8******** | sample-organization2 | Organization 2 | | bpf6dne49ue8******** | sample-organization3 | Organization 3 | +----------------------+-------------------------+-------------------------+ -
Get a list of logins in the OS Login profiles of an organization's users and service accounts by specifying its ID:
yc organization-manager os-login profile list \ --organization-id <organization_ID>Result:
+----------------------+----------------------+-----------+----------------------+----------------------+------------+ | ID | LOGIN | UID | ORGANIZATION ID | SUBJECT ID | IS DEFAULT | +----------------------+----------------------+-----------+----------------------+----------------------+------------+ | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true | | ajegs81t2k9s******** | user1 | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true | | ajej57b2kf0t******** | user2 | 1011 | bpfaidqca8vd******** | ajei280a73vc******** | true | +----------------------+----------------------+-----------+----------------------+----------------------+------------+Save the
LOGINfield value for the required user or service account: you will need it later. -
Export the certificate:
yc compute ssh certificate export \ --login <user_or_service_account_login> --organization-id <organization_ID> \ --directory <path_to_directory>Where:
--login: Previously obtained login for the user or service account, as set in the OS Login profile. This is an optional parameter. If this parameter is not specified, the SSH certificate will be downloaded for the user or service account currently authorized in the YC CLI profile.--organization-id: Previously obtained ID of the organization to export the SSH certificate from. This is an optional parameter. If the parameter is not set, the certificate will be exported from the organization the default folder belongs to.--directory: Path to the local directory to save the exported SSH certificate to. This is an optional parameter. If not specified, the certificate will be saved by default to the.sshhome directory of the current PC user (~/.ssh/).
Result:
Identity: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername Certificate: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername-cert.pubIf you save the exported certificate to a directory different from the default one, make sure that only the current user can access the certificate files saved. If you need to, update the user permissions using the
chmodcommand on Linux and macOS or on the Security tab in Windows Explorer's file properties.
You can use the exported SSH certificate to connect to a VM with configured OS Login access.