Enabling access via OS Login
OS Login access allows you to connect to VMs and Kubernetes cluster nodes with an SSH key or SSH certificate using the YC CLI or a standard SSH client. If you are connecting with an SSH key, you need to add the public SSH key to the organization user profile in Yandex Cloud Organization first.
To create virtual machines or Kubernetes nodes with OS Login access, enable this feature at the organization level. This will allow you to enable OS Login access for VMs created from a ready-made image with OS Login support or configure the OS Login agent on an already running VM. For more information about OS Login, see Connecting to a virtual machine via OS Login.
Note
Images with OS Login support are available on Yandex Cloud Marketplace. VMs created from such images will have Access by OS Login enabled in the VM creation and editing form under Access in the management console
To enable access via OS Login at the organization level:
-
Log in to Yandex Cloud Organization
using an administrator or organization owner account.Switch to an organization or federation of your choice as needed.
-
In the left-hand panel, select
Security settings. -
Enable the required access options:
-
Access via OS Login using SSH certificates (recommended).
This option allows you to connect to a VM or Kubernetes cluster node with an OS Login certificate via the YC CLI or a standard SSH client. -
Access via OS Login using SSH keys.
This option allows you to connect to a VM or Kubernetes cluster node via the YC CLI or a standard SSH client with an SSH key stored in the OS Login profile of a user or service account. -
Allow members to use their own SSH keys.
The option is available if OS Login access with SSH keys is enabled.
It allows users to upload public SSH keys to their profile to connect to VMs or Kubernetes cluster nodes on their own. To upload your own SSH keys, follow this guide.
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View the description of the CLI command to enable OS Login access at the organization level:
yc organization-manager oslogin update-settings --help
-
Get the ID of the required organization:
yc organization-manager organization list
Result:
+----------------------+-------------------------+-------------------------+ | ID | NAME | TITLE | +----------------------+-------------------------+-------------------------+ | bpf1smsil5q0******** | sample-organization-1 | My organization | | bpf2c65rqcl8******** | sample-organization-new | New organization | +----------------------+-------------------------+-------------------------+
-
Enable access via OS Login for the selected organization:
yc organization-manager oslogin update-settings \ --organization-id <organization_ID> \ --ssh-certificates-enabled \ --ssh-user-keys-enabled \ --allow-manage-own-keys
Where:
-
--organization-id
: Organization ID you got earlier. -
--ssh-certificates-enabled
: OS Login access using SSH certificates. This option allows you to connect to a VM with an OS Login SSH certificate via the YC CLI or a standard SSH client.To disable this option, provide the
false
value in the--ssh-certificates-enabled=false
parameter. -
--ssh-user-keys-enabled
: OS Login access using SSH keys. This option allows you to connect to a VM via the YC CLI or a standard SSH client with an SSH key stored in the OS Login profile of an organization user.To disable this option, provide the
false
value in the--ssh-user-keys-enabled=false
parameter. -
--allow-manage-own-keys
: Allow users to upload their own SSH keys. This option allows users to upload public SSH keys to their profile to connect to VMs on their own. To upload your own SSH keys, follow this guide. The option is available if OS Login access with SSH keys is enabled.To disable this option, provide the
false
value in the--allow-manage-own-keys=false
parameter.
Result:
user_ssh_key_settings: enabled: true allow_manage_own_keys: true ssh_certificate_settings: enabled: true
-
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_organizationmanager_os_login_settings" "my_os_login_settings" { organization_id = "<organization_ID>" ssh_certificate_settings { enabled = true } user_ssh_key_settings { enabled = true allow_manage_own_keys = true } }
Where:
-
organization_id
: Organization ID. You can get the organization ID using the YC CLIyc organization-manager organization list
command or in the management console . -
ssh_certificate_settings
: OS Login access using SSH certificates. This option allows you to connect to a VM with an OS Login SSH certificate via the YC CLI or a standard SSH client. Theenabled
parameter may take either thetrue
(option enabled) orfalse
(option disabled) values. -
user_ssh_key_settings
: Section for managing access through user SSH keys.-
enabled
: OS Login access using SSH keys. This option allows you to connect to a VM via the YC CLI with an SSH key stored in an organization user profile. It may take either thetrue
(option enabled) orfalse
(option disabled) values. -
allow_manage_own_keys
: Allow users to upload their own SSH keys. This option allows users to upload public SSH keys to their profile to connect to VMs on their own. To upload your own SSH keys, follow this guide. The option is available if OS Login access with SSH keys is enabled. It may take either thetrue
(option enabled) orfalse
(option disabled) values.
-
For more information about the resources you can create with Terraform, see the provider documentation
. -
-
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
The organization settings will then be changed. To make sure OS Login access is enabled, run this YC CLI command specifying the organization ID:
yc organization-manager oslogin get-settings --organization-id <organization_ID>
Result:
user_ssh_key_settings: enabled: true allow_manage_own_keys: true ssh_certificate_settings: enabled: true
-
Use the updateSettings REST API method for the OsLogin resource or the OsLoginService/UpdateSettings gRPC API call.
Note
To view the list of OS Login profiles, a user must have the organization-manager.osLogins.viewer
role or higher for the organization.