[Yandex Cloud documentation](../../../index.md) > [Yandex Compute Cloud](../../index.md) > [Step-by-step guides](../index.md) > Using a VM > OS Login > Creating a VM with OS Login support

# Creating a VM with OS Login

With [OS Login](../../../organization/concepts/os-login.md), you can provide users and [service accounts](../../../iam/concepts/users/service-accounts.md) access to [VMs](../../concepts/vm.md#project) relying solely on the [Yandex Identity and Access Management](../../../iam/concepts/index.md) mechanisms. There is no need to upload SSH keys to each new VM when creating it.

{% note tip %}

To create VMs with OS Login access and [connect](os-login.md) to such VMs, [enable](../../../organization/operations/os-login-access.md) OS Login at the Yandex Cloud [organization](../../../organization/quickstart.md) level first.

{% endnote %}

To connect to a virtual machine or Kubernetes node with OS Login access enabled, assign the following roles to the user or [service account](../../../iam/concepts/users/service-accounts.md):

* `compute.osLogin` or `compute.osAdminLogin` [role](../../security/index.md#compute-oslogin).
* `resource-manager.auditor` [role](../../../resource-manager/security/index.md#resource-manager-auditor) or higher for the folder containing the VM instance or Kubernetes node.
* `compute.operator` [role](../../security/index.md#compute-operator) for connecting via the Yandex Cloud CLI.

You can use either the [CLI](os-login.md#connect-with-yc-cli) or a [standard SSH client](os-login.md#connect-with-ssh-client) to connect to VMs with OS Login access enabled. The connection can be established using an SSH certificate or SSH key, which first needs to be [added](../../../organization/operations/add-ssh.md) to the Yandex Identity Hub user's or service account's OS Login profile.

{% note info %}

We recommend creating a local user on the new VM and providing a separate SSH key for that user: this way you will still be able to [connect to the VM via SSH](ssh.md#vm-connect) even if you disable the OS Login access for it. You can create a local user and provide an SSH key for them using [metadata](../../concepts/metadata/sending-metadata.md):

For users added via metadata:

* After enabling access to a VM via OS Login, the keys specified in `user-data` and `ssh-keys` are removed from the metadata.
* After disabling access to a VM via OS Login, the removed keys are recreated.

{% endnote %}

To create a VM with OS Login:

{% list tabs group=instructions %}

- Management console {#console}

  1. Enable [access via OS Login](../../../organization/operations/os-login-access.md) at the organization level.

  1. [Create a VM](../images-with-pre-installed-software/create.md) from a pre-built image with OS Login access support. Such images are available on [Yandex Cloud Marketplace](https://yandex.cloud/en/marketplace).
  
     When creating a VM, select **Access** under **Access by OS Login**. If this option is not available, the selected image does not support OS Login access.
  
     To be able to [connect](ssh.md#vm-connect) to the VM via SSH without OS Login, [update](../vm-control/vm-update.md) the VM settings and select **Access** under **SSH key**.

- CLI {#cli}

  1. Enable [access via OS Login](../../../organization/operations/os-login-access.md) at the organization level.

  1. [Create a VM](../images-with-pre-installed-software/create.md) from a pre-built image with OS Login access support.
  
     When creating a VM, specify this parameter for access via OS Login:

     ```bash
     --metadata enable-oslogin=true
     ```

- Terraform {#tf}

  1. Enable [access via OS Login](../../../organization/operations/os-login-access.md) at the organization level.

  1. [Create a VM](../images-with-pre-installed-software/create.md) from a pre-built image with OS Login access support.
  
     When creating a VM for the `yandex_compute_instance` resource, specify the following parameter in the `metadata` parameter section to enable access via OS Login:

     ```hcl
     metadata = {
       enable-oslogin = true
     }
     ```

- API {#api}

  1. Enable [access via OS Login](../../../organization/operations/os-login-access.md) at the organization level.

  1. [Create a VM](../vm-create/create-linux-vm.md) using the [create](../../api-ref/Instance/create.md) REST API method for the [Instance](../../api-ref/Instance/index.md) resource from a public image with OS Login access support:

     When creating the VM, provide `enable-oslogin=true` in the `metadata` field.

{% endlist %}

After the created VM changes its status to `Running`, you will be able to [connect](os-login.md) to it via OS Login.

{% note info %}

For service accounts, [OS Login profiles](../../../organization/concepts/os-login.md#os-login-profiles) are not created automatically. To connect to a VM or Kubernetes node on behalf of a service account, you need to [manually create](../../../organization/operations/os-login-profile-create.md) an OS Login profile.

{% endnote %}