Creating an OS Login profile

Written by

Updated at November 25, 2025

By default, enabling the OS Login access automatically creates OS Login profiles for all users within your Identity Hub. At the same time, each user or service account may have multiple OS Login profiles, which you can create manually. Different profiles allow you to connect to VMs or Kubernetes cluster nodes as different local users of those VMs or Kubernetes nodes.

For service accounts, OS Login profiles are not created automatically. To connect to a VM or Kubernetes node as a service account, you need to manually create its OS Login profile.

Note

The minimum required role allowing you to view the list of OS Login user profiles is the organization-manager.osLogins.viewer role assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see Access management in Yandex Identity Hub.

To create an OS Login profile:

Cloud Center UI

CLI

API

Log in to Yandex Identity Hub using an administrator or organization owner account.

Switch to an organization or federation of your choice as needed.
In the left-hand panel, select Users.
From the list, select the user you want to create an OS Login profile for.

Use the filter or search as needed.
On the user page, go to the OS Login Profiles tab and click Create profile. In the window that opens, do the following:
1. Enter the OS username that will be assigned to the organization user or service account when connecting to the VM. It must be unique within the folder.
  
  Note
  
  The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore. It must be from 1 to 32 characters long.
2. In the ID (uid) field, enter a unique numeric user ID (UID). It must be unique within the system.
  
  Warning
  
  There must be no collisions between the UIDs of the OS Login profile and the OS system profiles. If you set the UID manually, use values in the range from 1002 to 2^63 - 1 to avoid such collisions.
3. (Optional) In the Home directory field, enter the path to the user's home folder.
4. (Optional) In the Default shell field, specify the path to the command shell executable file.
5. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

View the description of the CLI command for creating an OS Login profile:
```
yc organization-manager oslogin profile create --help
```

Get the ID of the required organization:

yc organization-manager organization list

Result:

+----------------------+-------------------------+-----------------------+--------+
|          ID          |          NAME           |         TITLE         | LABELS |
+----------------------+-------------------------+-----------------------+--------+
| bpf1smsil5q0******** | sample-organization-1   | My organization       |        |
| bpf2c65rqcl8******** | sample-organization-new | New organization      |        |
+----------------------+-------------------------+-----------------------+--------+

Get the required user ID by specifying the ID of the organization it belongs to:

yc organization-manager user list \
  --organization-id <organization_ID>

Result:

+----------------------+----------+-------------------+---------------+-----------------------+
|          ID          | USERNAME |       EMAIL       | FEDERATION ID | LAST AUTHENTICATED AT |
+----------------------+----------+-------------------+---------------+-----------------------+
| rser11gh89el******** | user01   | user01@example.ru |               |                       |
| mber02hy54km******** | user02   | user02@example.ru |               |                       |
+----------------------+----------+-------------------+---------------+-----------------------+

To create an OS Login profile for a service account, get the service account ID.

Create an OS Login profile for the selected user or service account:
```
yc organization-manager oslogin profile create \
  --organization-id <organization_ID> \
  --subject-id <user_or_service_account_ID> \
  --login <login> \
  --uid <numeric_ID> \
  --home-directory <path_to_home_folder> \
  --shell <path_to_command_shell_executable_file>
```
Where:
- --organization-id: Organization ID you got earlier.
- --subject-id: User or service account ID you got earlier.
- --login: OS username the user will get when connected to the VM. It must be unique within the folder.
  
  Note
  
  The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore. It must be from 1 to 32 characters long.
- --uid: Unique numeric user ID (UID). It must be unique within the system.
  
  Warning
  
  There must be no collisions between the UIDs of the OS Login profile and the OS system profiles. If you set the UID manually, use values in the range from 1002 to 2^63 - 1 to avoid such collisions.
- --home-directory: Path to the user's home folder on the VM. This is an optional parameter. The default value is /home/<username>.
- --shell: Path to the command shell executable file on the VM. This is an optional parameter. The default value is /bin/bash.
Result:
```
id: aje6ddct3de5********
organization_id: bpf1smsil5q0********
subject_id: rser11gh89el********
login: new-os-login
uid: "100500"
home_directory: home/username
shell: bin/bash
```

Use the createProfile REST API method for the OsLogin resource or the OsLoginService/CreateProfile gRPC API call.

You can only create an OS Login profile for a service account using the Yandex Cloud CLI or API.

Creating an OS Login profile

See also

Was the article helpful?

Creating an OS Login profile

See alsoSee also

Was the article helpful?

See also