Enabling access via OS Login
Note
If OS Login access is enabled at the organization level, all new VMs created in this organization will get the OS_LOGIN value in the serial_port_settings.ssh_authorization field by default. If the OS Login access is disabled, the default value of this field will be INSTANCE_METADATA.
With OS Login, you can manage SSH access to VMs and individual nodes in node groups within Yandex Managed Service for Kubernetes clusters relying solely on the Yandex Identity and Access Management mechanisms. There is no need to upload SSH keys to each new VM or Kubernetes node when one is created. OS Login links the VM or Kubernetes node user account to a Yandex Identity Hub account, i.e., an organization user account or service account.
Alert
A user with superuser permissions for a VM can retain access to it even if the roles are revoked. To prevent user access to a VM with old permissions, create a new VM from a clean image.
To create virtual machines or Kubernetes nodes with OS Login access, enable this feature at the organization level. To do this:
-
Log in to Yandex Identity Hub using an administrator or organization owner account.
Switch to an organization or federation of your choice as needed.
-
In the left-hand panel, select Security settings.
-
Enable the required operating modes:
-
Access via OS Login using SSH certificates (recommended).
This mode allows you to connect to a VM or Kubernetes cluster node with an SSH certificate through the Yandex Cloud CLI or a standard SSH client. -
Access via OS Login using SSH keys.
This mode allows you to connect to a VM or Kubernetes cluster node through the Yandex Cloud CLI or a standard SSH client using an SSH key stored in the OS Login profile of a user or service account. -
Allow members to use their own SSH keys.
Allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs or Kubernetes cluster nodes.You can add a new SSH key to your profile in the management console when creating a VM or by following the guide titled Adding an SSH key.
Only Yandex account, federated or local users assigned the
organization-manager.osLogins.adminrole or higher can upload SSH keys to service account OS Login profiles.
-
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
View the description of the CLI command to enable OS Login access at the organization level:
yc organization-manager oslogin update-settings --help -
Get the ID of the required organization:
yc organization-manager organization listResult:
+----------------------+-------------------------+-------------------------+ | ID | NAME | TITLE | +----------------------+-------------------------+-------------------------+ | bpf1smsil5q0******** | sample-organization-1 | My organization | | bpf2c65rqcl8******** | sample-organization-new | New organization | +----------------------+-------------------------+-------------------------+ -
Enable access via OS Login for the selected organization:
yc organization-manager oslogin update-settings \ --organization-id <organization_ID> \ --ssh-certificates-enabled \ --ssh-user-keys-enabled \ --allow-manage-own-keysWhere:
-
--organization-id: Organization ID you got earlier. -
--ssh-certificates-enabled: OS Login access using SSH certificates. This option allows you to connect to VMs or Kubernetes cluster nodes with an SSH certificate through the Yandex Cloud CLI or a standard SSH client.To disable this option, provide the
falsevalue in the--ssh-certificates-enabled=falseparameter. -
--ssh-user-keys-enabled: OS Login access using SSH keys. This option allows you to connect to VMs or Kubernetes cluster nodes via the Yandex Cloud CLI or a standard SSH client, using an SSH key stored in the OS Login profile of an organization user or service account.To disable this option, provide the
falsevalue in the--ssh-user-keys-enabled=falseparameter. -
--allow-manage-own-keys: Allow users to upload their own SSH keys. This option allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs and Kubernetes cluster nodes. To upload your own SSH keys, follow this guide.To disable this option, provide the
falsevalue in the--allow-manage-own-keys=falseparameter.Note
Only Yandex account, federated or local users assigned the
organization-manager.osLogins.adminrole or higher can upload SSH keys to service account OS Login profiles.
Result:
user_ssh_key_settings: enabled: true allow_manage_own_keys: true ssh_certificate_settings: enabled: true -
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the properties of resources you want to create:
resource "yandex_organizationmanager_os_login_settings" "my_os_login_settings" { organization_id = "<organization_ID>" ssh_certificate_settings { enabled = true } user_ssh_key_settings { enabled = true allow_manage_own_keys = true } }Where:
-
organization_id: Organization ID. You can get the organization ID using theyc organization-manager organization listcommand in the Yandex Cloud CLI or through the Cloud Center interface. -
ssh_certificate_settings: OS Login access using SSH certificates. This option allows you to connect to VMs or Kubernetes cluster nodes with an SSH certificate through the Yandex Cloud CLI or a standard SSH client. Theenabledparameter may take either thetrue(option enabled) orfalse(option disabled) values. -
user_ssh_key_settings: Section for managing access through user SSH keys.-
enabled: OS Login access using SSH keys. This option allows you to connect to VMs or Kubernetes cluster nodes via the Yandex Cloud CLI or an SSH key stored in the profile of an organization user. It may take either thetrue(option enabled) orfalse(option disabled) values. -
allow_manage_own_keys: Allow users to upload their own SSH keys. This option allows users themselves to upload public SSH keys to their OS Login profiles for connection to VMs and Kubernetes cluster nodes. To upload your own SSH keys, follow this guide. It may take either thetrue(option enabled) orfalse(option disabled) values.
Note
Only Yandex account, federated or local users assigned the
organization-manager.osLogins.adminrole or higher can upload SSH keys to service account OS Login profiles. -
For more information about the resources you can create with Terraform, see the relevant provider documentation.
-
-
Make sure the configuration files are correct.
-
In the command line, navigate to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the resources.
The organization settings will then be changed. To make sure OS Login access is enabled, run this Yandex Cloud CLI command by specifying the organization ID:
yc organization-manager oslogin get-settings --organization-id <organization_ID>Result:
user_ssh_key_settings: enabled: true allow_manage_own_keys: true ssh_certificate_settings: enabled: true -
Use the updateSettings REST API method for the OsLogin resource or the OsLoginService/UpdateSettings gRPC API call.
Note
The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Identity Hub.