# Exporting an SSH certificate

You can use an SSH certificate of an [organization user](../../../organization/concepts/membership.md) or service account to enable a user or (via a [service account](../../../iam/concepts/users/service-accounts.md)) a third-party tool, such as [Terraform](https://www.terraform.io/) or [Ansible](https://www.ansible.com/), to use SSH to connect to [Compute Cloud VM instances](../../concepts/vm.md#project), [Yandex Data Processing cluster hosts](../../../data-proc/operations/connect-oslogin.md), or [separate nodes in a Kubernetes node group](../../../managed-kubernetes/concepts/index.md#node-group) with OS Login access enabled. To do this, locally export an SSH certificate and use it to access the VM or Kubernetes node with a standard SSH client. The exported certificate is valid for one hour.

To export the SSH certificate of a Yandex Identity Hub organization user or [service account](../../../iam/concepts/users/service-accounts.md) to a local computer:

{% list tabs group=instructions %}


- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for exporting an SSH certificate to a local directory:

      ```bash
      yc compute ssh certificate export --help
      ```
  1. Get the ID of the organization containing the required OS Login profile of the user or [service account](../../../iam/concepts/users/service-accounts.md):
     
     ```bash
     yc organization-manager organization list
     ```
     
     Result:
     
     ```text
     +----------------------+-------------------------+-------------------------+
     |          ID          |          NAME           |          TITLE          |
     +----------------------+-------------------------+-------------------------+
     | bpf1smsil5q0******** | sample-organization1    | Organization 1          |
     | bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
     | bpf6dne49ue8******** | sample-organization3    | Organization 3          |
     +----------------------+-------------------------+-------------------------+
     ```
  1. Get a list of [OS Login profile](../../../organization/concepts/os-login.md#os-login-profiles) logins of your organization's users and service accounts by specifying the organization ID:
     
     ```bash
     yc organization-manager os-login profile list \
       --organization-id <organization_ID>
     ```
     
     Result:
     
     ```text
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     |          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
     | ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
     | ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     ```
     
     Save the `LOGIN` field value for the required user or service account: you will need it later.
     
     {% note info %}
     
     The minimum required role allowing you to view the list of OS Login user profiles is the `organization-manager.osLogins.viewer` [role](../../../organization/security/index.md#organization-manager-osLogins-viewer) assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see [Access management in Yandex Identity Hub](../../../organization/security/index.md#service-roles).
     
     {% endnote %}
  1. Export the certificate:

      ```bash
      yc compute ssh certificate export \
          --login <user_or_service_account_login> \
          --organization-id <organization_ID> \
          --directory <path_to_directory>
      ```

      Where:
      * `--login`: Previously obtained user or service account login, as set in the OS Login profile. This is an optional setting. If you do not set this parameter, you will export the SSH certificate of the user or service account currently authorized in the Yandex Cloud CLI profile.
      * `--organization-id`: Previously obtained [ID](../../../organization/operations/organization-get-id.md) of the organization to export the SSH certificate from. This is an optional setting. If the parameter is not set, the certificate will be exported from the organization the default folder belongs to.
      * `--directory`: Path to the local directory to save the exported SSH certificate to. This is an optional setting. If not specified, the certificate will be saved by default to the `.ssh` home directory of the current PC user (`~/.ssh/`).

      Result:

      ```text
      Identity: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-<username_in_OS_Login_profile>
      Certificate: /home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-<username_in_OS_Login_profile>-cert.pub
      ```

      If you save the exported certificate to a directory different from the default one, make sure that only the current user can access the certificate files saved. If you need to, update the user permissions using the `chmod` command on Linux and macOS or on the **Security** tab in Windows Explorer's file properties.

{% endlist %}

You can use the exported SSH certificate to [connect](os-login.md#connect-with-ssh-client) to a Compute Cloud instance, Yandex Data Processing cluster, or Kubernetes node with OS Login access [enabled](../vm-control/vm-update.md#enable-oslogin-access).

#### See also {#see-also}

* [Enabling access via OS Login](../../../organization/operations/os-login-access.md)
* [Adding an SSH key](../../../organization/operations/add-ssh.md)
* [Connecting to a VM via OS Login](os-login.md)
* [Connecting to a Kubernetes node via OS Login](../../../managed-kubernetes/operations/node-connect-oslogin.md)
* [Connecting to a Yandex Data Processing cluster via OS Login](../../../data-proc/operations/connect-oslogin.md)
* [Using a service account with an OS Login profile for VM management via Ansible](../../../tutorials/security/sa-oslogin-ansible.md)