Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Connecting to a Yandex Data Processing host via OS Login

Written by
Updated at November 26, 2025

Warning

You can enable OS Login access to hosts only when creating a cluster.

OS Login is used instead of SSH keys to access Yandex Cloud virtual machines.

You can connect to Yandex Data Processing cluster hosts via OS Login using a standard SSH client or the Yandex Cloud CLI.

Before connecting:

  1. Enable access via OS Login at the organization level.

  2. Configure security groups.

  3. Assign one of the following roles to the user or service account you will use for the connection:

    • compute.osLogin
    • compute.osAdminLogin

    If connecting using the Yandex Cloud CLI, you will additionally need the compute.operator role.

  4. If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

Connect using a standard SSH client

  1. Export the OS Login certificate.

    Note

    The certificate is valid for one hour, after which you need to export it again.

    The certificate includes the public and private parts. Save the path to the Identity private part as you will need it to connect to the host.

  2. Learn the Yandex Data Processing host IP:

    1. Get a list of hosts:

      yc dataproc cluster list-hosts <cluster_name_or_ID>

      You can get the cluster ID and name with the list of clusters in the folder.

      Result:

      +------------------------------------------------------+----------------------+------------+----------------------+--------+
|                         NAME                         | COMPUTE INSTANCE ID  |    ROLE    |    SUBCLUSTER ID     | HEALTH |
+------------------------------------------------------+----------------------+------------+----------------------+--------+
| rc1a-dataproc-d-q8659net********.mdb.yandexcloud.net | fhmr7sd33fl8******** | DATANODE   | c9qaps7qjj2d******** | ALIVE  |
| rc1a-dataproc-m-hhhifdgl********.mdb.yandexcloud.net | fhmg686pspri******** | MASTERNODE | c9q7aen26lid******** | ALIVE  |
+------------------------------------------------------+----------------------+------------+----------------------+--------+

      From the COMPUTE INSTANCE ID column, save the VM ID that matches your host.

    2. Get the VM info:

      yc compute instance get <VM_ID>

      Result:

      ...
primary_v4_address:
  address: <internal_IP_address>
  one_to_one_nat:
    address: <external_IP_address>
    ip_version: IPV4
...

      If you are connecting to the host from the internet, save the external IP address; for connections from an intermediate VM, save the internal IP address.

  3. Connect to the host:

    ssh -i <path_to_certificate_file> <user_login>@<host_IP_address>

    Where:

    • <path_to_certificate_file>: Path to the certificate's Identity file you saved earlier, e.g., /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername.

    • <user_login>: Login set for the user in the OS Login profile. This login is also specified at the end of the name of the exported OS Login certificate. In the example above, it is orgusername.

      Note

      For service accounts, OS Login profiles are not created automatically. To connect to a VM or Kubernetes node on behalf of a service account, you need to manually create an OS Login profile.

    • <host_IP_address>: Host IP address you got earlier.

    When connecting to the host for the first time, you will get an unknown host warning:

    The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
Are you sure you want to continue connecting (yes/no)?

    Type yes into the terminal and press Enter.

Connect using the CLI

  1. Get a list of Yandex Data Processing hosts:

    yc dataproc cluster list-hosts <cluster_name_or_ID>

    You can get the cluster ID and name with the list of clusters in the folder.

    Result:

    +------------------------------------------------------+----------------------+------------+----------------------+--------+
|                         NAME                         | COMPUTE INSTANCE ID  |    ROLE    |    SUBCLUSTER ID     | HEALTH |
+------------------------------------------------------+----------------------+------------+----------------------+--------+
| rc1a-dataproc-d-q8659net********.mdb.yandexcloud.net | fhmr7sd33fl8******** | DATANODE   | c9qaps7qjj2d******** | ALIVE  |
| rc1a-dataproc-m-hhhifdgl********.mdb.yandexcloud.net | fhmg686pspri******** | MASTERNODE | c9q7aen26lid******** | ALIVE  |
+------------------------------------------------------+----------------------+------------+----------------------+--------+

    From the COMPUTE INSTANCE ID column, save the VM ID that matches your host.

  2. Connect to the host:

    yc compute ssh --id <VM_ID>

    Note

    For service accounts, OS Login profiles are not created automatically. To connect to a VM or Kubernetes node on behalf of a service account, you need to manually create an OS Login profile.

Previous
Connecting to a host over SSH
Next
Connecting to a host from graphical IDEs