Using a service account with an OS Login profile for VM management via Ansible

To manage virtual machines via Ansible, you can use a service account provided with an OS Login profile with an SSH key. This configuration will allow you to have a separate account for VM management via Ansible with scheduled or manual SSH key revocation.

In addition, with this configuration you can temporarily elevate the privileges of this account by assigning additional roles to the service account. For example, to use the become directive in Ansible tasks, you will have to temporarily assign the compute.osAdminLogin role to the service account.

To configure a service account for VM management via Ansible:

1. Prepare your cloud.
2. Create a service account with an SSH key in the OS Login profile.
3. Configure Ansible to run on behalf of a service account.

If you no longer need the resources you created, delete them.

Getting startedGetting started

Sign up for Yandex Cloud and create a billing account:

1. Navigate to the management console and log in to Yandex Cloud or create a new account.
2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

Prepare the environmentPrepare the environment

1. If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

   By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

2. Create a virtual machine from a public image with enabled OS Login access, e.g., Ubuntu 22.04 LTS OS Login.

3. In your organization settings, enable OS Login access using SSH keys.

4. Install Ansible.

Required paid resourcesRequired paid resources

The cost of supporting the infrastructure created in the guide includes:

• Fee for a continuously running VM (see Yandex Compute Cloud pricing).
• Fee for using a public IP address (see Yandex Virtual Private Cloud pricing).

Create a service account with an SSH key in the OS Login profileCreate a service account with an SSH key in the OS Login profile

1. Create a service account named my-ansible-sa and assign it the compute.osLogin role.

   Note

   A default OS Login profile will be created automatically for the service account when you create one. By default, username (login) in the OS Login profile is formed for the service account by adding the yc-sa- prefix to the service account name: yc-sa-<service_account_name>.

2. Create an SSH key pair of the ed25519 type the service account will use to connect to virtual machines:

   ssh-keygen \
     -t ed25519 \
     -f <path>/id_yc-sa-my-ansible-sa
   

   Where -f is the name of the SSH key being created and the path to the directory where the files with the private and public parts of the key will be saved. For example, -f /home/user/ansible-key/id_yc-sa-my-ansible-sa.

   As a result, two SSH key files will be created in the specified directory: id_yc-sa-my-ansible-sa and id_yc-sa-my-ansible-sa.pub.

3. Add the new SSH key to the OS Login profile of the my-ansible-sa service account:

   CLI

   yc organization-manager oslogin user-ssh-key create \
     --name <key_name> \
     --organization-id <organization_ID> \
     --subject-id <service_account_ID> \
     --data "<public_SSH_key>" \
     --expires-at <key_expiration_date>
   
   

   Where:

   • --name: Uploaded key name, e.g., ssh-my-ansible-sa.

   • --organization-id: ID of the organization the my-ansible-sa service account belongs to.

   • --subject-id: ID of the service account to whose profile you are adding the SSH key.

   • --data: Contents of the file with the public part of the SSH key (id_yc-sa-my-ansible-sa.pub).

   • --expires-at: Uploaded key expiration date. This is an optional parameter. If the parameter is not set, the key will have no expiration date.

     You can specify the value in two formats:

     • Key expiration date in ISO 8601 format, e.g., YYYY-MM-DDT00:00:00Z.
     • Key validity period in hours and minutes, e.g., 1h or 3h30m.

   Result:

   id: bpfejaidgt9u********
   subject_id: ajeqdl8mdv12********
   data: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOra4Rg9OpwS5cozMHDGpdp6ug/jYUnWtTFD********
   name: ssh-my-ansible-sa
   fingerprint: SHA256:gkEtFdaTmT7PK4/fCrZqnSjFDBsvLeNfkAR********
   organization_id: bpfaidqca8vd********
   created_at: "2024-06-21T10:10:11.946355750Z"
   expires_at: "2024-06-21T20:10:11.380653492Z"
   

   For more information about the yc organization-manager oslogin user-ssh-key create command, see the CLI reference.

   Tip

   For security purposes, it is recommended to rotate SSH keys from time to time. It is not safe to use an SSH key with unlimited validity period.

4. Check if you can log in to the VM using the service account's OS Login profile:

   ssh yc-sa-my-ansible-sa@<VM_IP_address> -i <path_to_private_SSH_key>
   

   Where:

   • <VM_IP_address>: Public IP address of the VM with enabled OS Login access.
   • <path_to_private_SSH_key>: Path to the file containing the private part of the previously created SSH key, e.g., /home/user/ansible-key/id_yc-sa-my-ansible-sa.

Configure Ansible to run on behalf of a service accountConfigure Ansible to run on behalf of a service account

Make sure Ansible can connect to the virtual machine on behalf of the new service account. To do this, create an inventory file and test it using the ansible.builtin.ping module:

1. Create the inventory.ini file with the yc group:

   [yc:vars]
   ansible_connection=ssh
   ansible_user=yc-sa-my-ansible-sa
   ansible_ssh_private_key_file=<path_to_private_SSH_key>
   
   [yc]
   <VM_IP_address>
   

   Where:

   • <path_to_private_SSH_key>: Path to the file containing the private part of the previously created SSH key, e.g., /home/user/ansible-key/id_yc-sa-my-ansible-sa.
   • <VM_IP_address>: Public IP address of the VM with enabled OS Login access.

2. Run Ansible with the ansible.builtin.ping module:

   ansible -i inventory.ini -m ping yc
   

   Result:

   158.160.**.*** | SUCCESS => {
   "ansible_facts": {
       "discovered_interpreter_python": "/usr/bin/python3"
   },
   "changed": false,
   "ping": "pong"
   }
   

Connection to the VM is established. You can now manage virtual machines via Ansible under a service account with an OS Login profile and a limited-validity SSH key.

How to delete the resources you createdHow to delete the resources you created

To stop paying for the resources you created:

1. Delete the VM.
2. Delete the service account if you need to.