Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Adding an SSH key

Written by
Updated at November 14, 2024

Upload SSH keys to the organization user or service account profile in Cloud Organization so it can connect to virtual machines and Yandex Managed Service for Kubernetes cluster nodes with OS Login access enabled.

To add an SSH key to a user profile or service account, make sure the Access via OS Login using SSH keys option is enabled at the organization level. If required, create a new SSH key pair.

To add a public SSH key to an OS Login profile:

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

    Switch to an organization or federation of your choice as needed.

  2. In the left-hand panel, select Users.

  3. From the list, select the user whose OS Login profile you want to add an SSH key to.

    Use the filter or search feature as needed.

  4. Go to the SSH keys tab and click Add key. In the window that opens:

    1. Name the SSH key you are adding.

    2. Enter the public SSH key manually or upload it from a file.

    3. Specify the validity period for the key.

    4. Click Add.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to upload an SSH key to the user profile:

    yc organization-manager oslogin user-ssh-key create --help

  2. Get the ID of the required organization:

    yc organization-manager organization list

    Result:

    +----------------------+-------------------------+-------------------------+
|          ID          |          NAME           |          TITLE          |
+----------------------+-------------------------+-------------------------+
| bpf1smsil5q0******** | sample-organization-1   | My organization         |
| bpf2c65rqcl8******** | sample-organization-new | New organization        |
+----------------------+-------------------------+-------------------------+

  3. Get the required user ID by specifying the organization ID you obtained earlier:

    yc organization-manager user list \
  --organization-id <organization_ID>

    Result:

    +----------------------+-----------------------+---------------------------------+----------------------+
|          ID          |       USERNAME        |              EMAIL              |    FEDERATION ID     |
+----------------------+-----------------------+---------------------------------+----------------------+
| aje5qd0po0nj******** | sample-user-1         | sample-user-1@yandex.ru         |                      |
| ajee30kevjjf******** | sample-user-2         | sample-user-2@yandex.ru         |                      |
| ajeeg4ju49h6******** | sample-user-3         | sample-user-3@yandex.ru         | bpfbl7q3mjbr******** |
| ajei280a73vc******** | sample-user-4         | sample-user-4@yandex.ru         |                      |
+----------------------+-----------------------+---------------------------------+----------------------+

  4. Upload the SSH key to your user or service account profile:

    yc organization-manager oslogin user-ssh-key create \
  --organization-id <organization_ID> \
  --name "<key_name>" \
  --subject-id <user_or_service_account_ID> \
  --data "<public_SSH_key>" \
  --expires-at <key_expiration_date>

    Where:

    • --organization-id: Organization ID you got earlier.

    • --name: Uploaded key name.

    • --subject-id: Previously obtained ID of the user or service account to whose profile you are adding the SSH key.

    • --data: Contents of a public SSH key.

    • --expires-at: Uploaded key expiration date. This is an optional parameter. It allows you to set any expiration date for the uploaded key. You can specify the value in two formats:

      • Key expiration date in ISO 8601 format, e.g., YYYY-MM-DDT00:00:00Z.
      • Key validity period in hours and minutes, e.g., 1h or 3h30m.

    Result:

    id: bpfrtmgobqvc********
subject_id: ajei280a73vc********
data: ssh-ed25519 AAAAC3Nza_YOUR_PUBLIC_SSH_KEY_Ejal+P1sRgYA3T
name: My Key
fingerprint: SHA256:EJQdhwWDFj4TebYQzx9CmKZHr53rNN59u0W********
organization_id: bpf2c65rqcl8********
created_at: "2024-03-12T17:42:31.339022059Z"
expires_at: "2024-03-12T21:12:31.176467230Z"

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. In the configuration file, describe the parameters of the resources you want to create:

    resource "yandex_organizationmanager_user_ssh_key" "my_user_ssh_key" {
  organization_id = "<organization_ID>"
  subject_id      = "<user_ID>"
  data            = "<public_SSH_key>"
  name            = "<key_name>"
  expires_at      = "<key_expiration_date>"
}

    Where:

    • organization_id: Organization ID.
    • subject_id: ID of the user or service account to whose profile you are adding the SSH key.
    • data: Contents of a public SSH key.
    • name: Uploaded key name.
    • expires_at: Uploaded key expiration date. This is an optional parameter. It allows you to set any time and date for the uploaded key, after which the key becomes invalid. The value is set in ISO 8601 format, e.g., YYYY-MM-DDT00:00:00Z.

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm that you want to create the resources.

    The SSH key will then be uploaded to the user profile. To make sure the SSH key is added, run the YC CLI command, specifying the organization ID:

    yc organization-manager oslogin user-ssh-key list --organization-id <organization_ID>

    Result:

    +----------------------+--------+----------------------+----------------------+----------------------------------------------------+---------------------+---------------------+
|          ID          |  NAME  |   ORGANIZATION ID    |      SUBJECT ID      |                    FINGERPRINT                     |     CREATED AT      |     EXPIRES AT      |
+----------------------+--------+----------------------+----------------------+----------------------------------------------------+---------------------+---------------------+
| bpf6big3s4h0******** | My key | bpf2c65rqcl8******** | ajei280a73vc******** | SHA256:EJQdhwWDFj4TebYQzx9CmKZHr53rNN59u0W******** | 2024-03-12 18:48:17 | 2024-03-12 21:12:31 |
+----------------------+--------+----------------------+----------------------+----------------------------------------------------+---------------------+---------------------+

Use the create REST API method for the UserSshKey resource or the UserSshKeyService/Create gRPC API call.

You can only add an SSH key to a service account profile using the CLI, Terraform, or API.

To allow users to upload SSH keys to their own profiles, enable the Allow members to use their own SSH keys option.

See also

Previous
Creating an OS Login profile
Next
Overview