[Yandex Cloud documentation](../../../index.md) > [Yandex Compute Cloud](../../index.md) > [Step-by-step guides](../index.md) > Using a VM > OS Login > Connecting to a VM via OS Login

# Connecting to a VM via OS Login

[OS Login](../../../organization/concepts/os-login.md) provides users and [service accounts](../../../iam/concepts/users/service-accounts.md) access to [VMs](../../concepts/vm.md#project) relying solely on the [Yandex Identity and Access Management](../../../iam/concepts/index.md) mechanisms, without requiring you to upload SSH keys to each new VM when creating it.

{% note warning %}

For service accounts, [OS Login profiles](../../../organization/concepts/os-login.md#os-login-profiles) are not created automatically. To connect to a VM or Kubernetes node on behalf of a service account, you need to [manually create](../../../organization/operations/os-login-profile-create.md) an OS Login profile.

{% endnote %}

## Getting started {#before-you-begin}

If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

[Create](os-login-create-vm.md) a new virtual machine with OS Login support or [configure](enable-os-login.md) OS Login access for an existing VM as needed.

{% note info %}

To connect to a virtual machine or Kubernetes node with OS Login access enabled, assign the following roles to the user or [service account](../../../iam/concepts/users/service-accounts.md):

* `compute.osLogin` or `compute.osAdminLogin` [role](../../security/index.md#compute-oslogin).
* `resource-manager.auditor` [role](../../../resource-manager/security/index.md#resource-manager-auditor) or higher for the folder containing the VM instance or Kubernetes node.
* `compute.operator` [role](../../security/index.md#compute-operator) for connecting via the Yandex Cloud CLI.

{% endnote %}

## Connecting using a standard SSH client {#connect-with-ssh-client}

You can connect to a VM with OS Login access enabled using a standard SSH client with either an SSH key [saved](../../../organization/operations/add-ssh.md) in the OS Login profile of an organization user or service account, or a short-lived SSH certificate exported for that user or service account.

{% list tabs group=os_login_type %}

- Connecting with an SSH key {#ssh-key}

  To connect to a VM via OS Login with an SSH key using a standard SSH client:
  
  1. [Enable](../../../organization/operations/os-login-access.md) access via OS Login at the organization level.
     
     To connect to a VM via OS Login with an SSH certificate, enable **Access via OS Login using SSH keys**.
     
     To allow users to add SSH keys to their own OS Login profiles, enable **Allow members to use their own SSH keys**.
     
     {% note info %}
     
     Only [Yandex account](../../../iam/concepts/users/accounts.md#passport), [federated](../../../iam/concepts/users/accounts.md#saml-federation) or [local](../../../iam/concepts/users/accounts.md#local) users assigned the `organization-manager.osLogins.admin` [role](../../../organization/security/index.md#organization-manager-osLogins-admin) or higher can upload SSH keys to service account [OS Login profiles](../../../organization/concepts/os-login.md#os-login-profiles).
     
     {% endnote %}
  1. [Create](ssh.md#creating-ssh-keys) an SSH key pair and [add](../../../organization/operations/add-ssh.md) the public key to the OS Login profile of a user or [service account](../../../iam/concepts/users/service-accounts.md). Remember where your private key is stored, as you will need it to connect to a VM.
  1. Get the ID of the organization containing the required OS Login profile of the user or [service account](../../../iam/concepts/users/service-accounts.md):
     
     ```bash
     yc organization-manager organization list
     ```
     
     Result:
     
     ```text
     +----------------------+-------------------------+-------------------------+
     |          ID          |          NAME           |          TITLE          |
     +----------------------+-------------------------+-------------------------+
     | bpf1smsil5q0******** | sample-organization1    | Organization 1          |
     | bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
     | bpf6dne49ue8******** | sample-organization3    | Organization 3          |
     +----------------------+-------------------------+-------------------------+
     ```
  1. Get a list of [OS Login profile](../../../organization/concepts/os-login.md#os-login-profiles) logins of your organization's users and service accounts by specifying the organization ID:
     
     ```bash
     yc organization-manager os-login profile list \
       --organization-id <organization_ID>
     ```
     
     Result:
     
     ```text
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     |          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
     | ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
     | ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     ```
     
     Save the `LOGIN` field value for the required user or service account: you will need it later.
     
     {% note info %}
     
     The minimum required role allowing you to view the list of OS Login user profiles is the `organization-manager.osLogins.viewer` [role](../../../organization/security/index.md#organization-manager-osLogins-viewer) assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see [Access management in Yandex Identity Hub](../../../organization/security/index.md#service-roles).
     
     {% endnote %}
  1. Get a list of all VMs in the default folder:
     
     ```bash
     yc compute instance list
     ```
     
     Result:
     
     ```text
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     |          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     | fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
     | fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     ```
  
      Save the public IP address (the `EXTERNAL IP` value) of the VM you want to connect to.
  1. Connect to the VM:
  
      ```bash
      ssh -i <path_to_private_SSH_key_file> \
        -l <user_or_service_account_login> <VM_public_IP_address>
      ```
  
      Where:
  
      * `<path_to_private_SSH_key_file>`: Path to the private SSH key file, e.g., `/home/user1/.ssh/id_ed25519`. 
      * `<user_or_service_account_login>`: Previously obtained user or service account login, as set in the OS Login profile.
      * `<VM_public_IP_address>`: VM public IP address you saved earlier.
  
      If this is your first time connecting to the VM, you will get this unknown host warning:
  
      ```text
      The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
      ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
      Are you sure you want to continue connecting (yes/no)?
      ```
  
      In the terminal, type `yes` and press **Enter**.

- Connecting with an SSH certificate {#ssh-cert}

  To connect to a VM via OS Login with an SSH certificate using a standard SSH client:
  
  1. [Enable](../../../organization/operations/os-login-access.md) access via OS Login at the organization level.
     
     To connect to a VM via OS Login with an SSH certificate, enable **Access via OS Login using SSH certificates (recommended)**.
  1. [Export](os-login-export-certificate.md) the SSH certificate to your local computer.
  1. Get the ID of the organization containing the required OS Login profile of the user or [service account](../../../iam/concepts/users/service-accounts.md):
     
     ```bash
     yc organization-manager organization list
     ```
     
     Result:
     
     ```text
     +----------------------+-------------------------+-------------------------+
     |          ID          |          NAME           |          TITLE          |
     +----------------------+-------------------------+-------------------------+
     | bpf1smsil5q0******** | sample-organization1    | Organization 1          |
     | bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
     | bpf6dne49ue8******** | sample-organization3    | Organization 3          |
     +----------------------+-------------------------+-------------------------+
     ```
  1. Get a list of [OS Login profile](../../../organization/concepts/os-login.md#os-login-profiles) logins of your organization's users and service accounts by specifying the organization ID:
     
     ```bash
     yc organization-manager os-login profile list \
       --organization-id <organization_ID>
     ```
     
     Result:
     
     ```text
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     |          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
     | ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
     | ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     ```
     
     Save the `LOGIN` field value for the required user or service account: you will need it later.
     
     {% note info %}
     
     The minimum required role allowing you to view the list of OS Login user profiles is the `organization-manager.osLogins.viewer` [role](../../../organization/security/index.md#organization-manager-osLogins-viewer) assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see [Access management in Yandex Identity Hub](../../../organization/security/index.md#service-roles).
     
     {% endnote %}
  1. Get a list of all VMs in the default folder:
     
     ```bash
     yc compute instance list
     ```
     
     Result:
     
     ```text
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     |          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     | fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
     | fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     ```
  
      Save the public IP address (the `EXTERNAL IP` value) of the VM you want to connect to.
  1. Connect to the VM:
  
      ```bash
      ssh -i <certificate_file_path> \
        -l <user_or_service_account_login> <VM_public_IP_address>
      ```
  
      Where:
  
      * `<certificate_file_path>`: Path to the certificate’s `Identity` file you exported previously, e.g., `/home/user1/.ssh/yc-cloud-id-b1gia87mbaom********-orgusername`.
      * `<user_or_service_account_login>`: Previously obtained user or [service account](../../../iam/concepts/users/service-accounts.md) login, as set in the OS Login profile.
      * `<VM_public_IP_address>`: VM public IP address you saved earlier.
  
      You can also view the command for VM connection in the [management console](https://console.yandex.cloud). On the **Overview** page of the VM, under **Access**, expand **Connect via the client SSH** and select the **Via certificate** tab.
  
      If this is your first time connecting to the VM, you will get this unknown host warning:
  
      ```text
      The authenticity of host '158.160.**.** (158.160.**.**)' can't be established.
      ECDSA key fingerprint is SHA256:PoaSwqxRc8g6iOXtiH7ayGHpSN0MXwUfWHk********.
      Are you sure you want to continue connecting (yes/no)?
      ```
  
      In the terminal, type `yes` and press **Enter**.

  {% note info %}
  
  The certificate is valid for one hour. After this time has elapsed, you will need to [export](os-login-export-certificate.md) a new certificate to connect to the VM.
  
  {% endnote %}

{% endlist %}

You will then be connected to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM operating system.

## Connecting via the Yandex Cloud CLI {#connect-with-yc-cli}

You can connect to a VM with OS Login access enabled using the [Yandex Cloud CLI](../../../cli/quickstart.md) with either an SSH key [saved](../../../organization/operations/add-ssh.md) in the profile of an organization user or service account, or an SSH certificate of that user or service account.

{% list tabs group=os_login_type %}

- Connecting with an SSH key {#ssh-key}

  To connect to a VM via OS Login with an SSH key using the Yandex Cloud CLI:
  
  1. [Enable](../../../organization/operations/os-login-access.md) access via OS Login at the organization level.
     
     To connect to a VM via OS Login with an SSH certificate, enable **Access via OS Login using SSH keys**.
     
     To allow users to add SSH keys to their own OS Login profiles, enable **Allow members to use their own SSH keys**.
     
     {% note info %}
     
     Only [Yandex account](../../../iam/concepts/users/accounts.md#passport), [federated](../../../iam/concepts/users/accounts.md#saml-federation) or [local](../../../iam/concepts/users/accounts.md#local) users assigned the `organization-manager.osLogins.admin` [role](../../../organization/security/index.md#organization-manager-osLogins-admin) or higher can upload SSH keys to service account [OS Login profiles](../../../organization/concepts/os-login.md#os-login-profiles).
     
     {% endnote %}
  1. [Create](ssh.md#creating-ssh-keys) an SSH key pair and [add](../../../organization/operations/add-ssh.md) the public key to the OS Login profile of a user or [service account](../../../iam/concepts/users/service-accounts.md). Remember where your private key is stored, as you will need it to connect to a VM.
  1. View the description of the CLI command to connect to a VM:
  
      ```bash
      yc compute ssh --help
      ```
  1. Get the ID of the organization containing the required OS Login profile of the user or [service account](../../../iam/concepts/users/service-accounts.md):
     
     ```bash
     yc organization-manager organization list
     ```
     
     Result:
     
     ```text
     +----------------------+-------------------------+-------------------------+
     |          ID          |          NAME           |          TITLE          |
     +----------------------+-------------------------+-------------------------+
     | bpf1smsil5q0******** | sample-organization1    | Organization 1          |
     | bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
     | bpf6dne49ue8******** | sample-organization3    | Organization 3          |
     +----------------------+-------------------------+-------------------------+
     ```
  1. Get a list of [OS Login profile](../../../organization/concepts/os-login.md#os-login-profiles) logins of your organization's users and service accounts by specifying the organization ID:
     
     ```bash
     yc organization-manager os-login profile list \
       --organization-id <organization_ID>
     ```
     
     Result:
     
     ```text
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     |          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
     | ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
     | ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     ```
     
     Save the `LOGIN` field value for the required user or service account: you will need it later.
     
     {% note info %}
     
     The minimum required role allowing you to view the list of OS Login user profiles is the `organization-manager.osLogins.viewer` [role](../../../organization/security/index.md#organization-manager-osLogins-viewer) assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see [Access management in Yandex Identity Hub](../../../organization/security/index.md#service-roles).
     
     {% endnote %}
  1. Get a list of all VMs in the default folder:
     
     ```bash
     yc compute instance list
     ```
     
     Result:
     
     ```text
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     |          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     | fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
     | fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     ```
  1. Connect to the VM:
  
      ```bash
      yc compute ssh \
        --name <VM_name> \
        --identity-file <path_to_private_SSH_key_file> \
        --login <user_or_service_account_login> \
        --internal-address
      ```
  
      Where:
      * `--name`: Previously obtained VM name. You can specify the VM ID instead of its name by using the `--id` parameter.
      * `--identity-file`: Path to a private SSH key file, e.g., `/home/user1/.ssh/id_ed25519`.
      * `--login`: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If this parameter is not specified, the connection will use the login specified in the default [OS Login profile](../../../organization/concepts/os-login.md#os-login-profiles) for the user or service account currently authorized in the Yandex Cloud CLI profile.
      * `--internal-address`: To connect using an internal IP address. This is an optional parameter.
  
      You can also see the command for VM connection in the [management console](https://console.yandex.cloud). On the **Overview** page of the VM, under **Connect to VM**, expand the **Connect via the Yandex Cloud** CLI interface section and select the **SSH key** tab.

- Connecting with an SSH certificate {#ssh-cert}

  To connect to a VM via OS Login with an SSH certificate using the Yandex Cloud CLI:
  
  1. [Enable](../../../organization/operations/os-login-access.md) access via OS Login at the organization level.
     
     To connect to a VM via OS Login with an SSH certificate, enable **Access via OS Login using SSH certificates (recommended)**.
  1. View the description of the CLI command to connect to a VM:
  
      ```bash
      yc compute ssh --help
      ```
  1. Get the ID of the organization containing the required OS Login profile of the user or [service account](../../../iam/concepts/users/service-accounts.md):
     
     ```bash
     yc organization-manager organization list
     ```
     
     Result:
     
     ```text
     +----------------------+-------------------------+-------------------------+
     |          ID          |          NAME           |          TITLE          |
     +----------------------+-------------------------+-------------------------+
     | bpf1smsil5q0******** | sample-organization1    | Organization 1          |
     | bpf2c65rqcl8******** | sample-organization2    | Organization 2          |
     | bpf6dne49ue8******** | sample-organization3    | Organization 3          |
     +----------------------+-------------------------+-------------------------+
     ```
  1. Get a list of [OS Login profile](../../../organization/concepts/os-login.md#os-login-profiles) logins of your organization's users and service accounts by specifying the organization ID:
     
     ```bash
     yc organization-manager os-login profile list \
       --organization-id <organization_ID>
     ```
     
     Result:
     
     ```text
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     |          ID          |        LOGIN         |    UID    |   ORGANIZATION ID    |      SUBJECT ID      | IS DEFAULT |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     | aje1eb5qm7jb******** | yc-sa-my-service-acc | 487816044 | bpfaidqca8vd******** | ajevnu4u2q3m******** | true       |
     | ajegs81t2k9s******** | user1                | 760684761 | bpfaidqca8vd******** | aje7b4u65nb6******** | true       |
     | ajej57b2kf0t******** | user2                |      1011 | bpfaidqca8vd******** | ajei280a73vc******** | true       |
     +----------------------+----------------------+-----------+----------------------+----------------------+------------+
     ```
     
     Save the `LOGIN` field value for the required user or service account: you will need it later.
     
     {% note info %}
     
     The minimum required role allowing you to view the list of OS Login user profiles is the `organization-manager.osLogins.viewer` [role](../../../organization/security/index.md#organization-manager-osLogins-viewer) assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see [Access management in Yandex Identity Hub](../../../organization/security/index.md#service-roles).
     
     {% endnote %}
  1. Get a list of all VMs in the default folder:
     
     ```bash
     yc compute instance list
     ```
     
     Result:
     
     ```text
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     |          ID          |       NAME      |    ZONE ID    | STATUS  |  EXTERNAL IP  | INTERNAL IP  |
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     | fhm0b28lgf********** | first-instance  | ru-central1-a | RUNNING | 158.160.**.** | 192.168.0.8  |
     | fhm9gk85nj********** | second-instance | ru-central1-a | RUNNING | 51.250.**.*** | 192.168.0.12 |
     +----------------------+-----------------+---------------+---------+---------------+--------------+
     ```
  1. Connect to the VM:
  
      ```bash
      yc compute ssh \
        --name <VM_name>
        --login <user_or_service_account_login>
        --internal-address
      ```
  
      Where:
      * `--name`: Previously obtained VM name. You can specify the VM ID instead of its name by using the `--id` parameter.
      * `--login`: Previously obtained user or service account login, as set in the OS Login profile. This is an optional parameter. If you do not set this parameter, the connection will use the SSH certificate of the user or service account currently authorized in the Yandex Cloud CLI profile.
      * `--internal-address`: To connect using an internal IP address. This is an optional parameter.
  
      You can also view the command for VM connection in the [management console](https://console.yandex.cloud). On the **Overview** page of the VM, under **Access**, expand **Connect via the Yandex Cloud CLI** and select the **Via certificate** tab.

{% endlist %}

You will then be connected to the specified VM. If this is your first time connecting to this VM, a new user profile will be created in the VM operating system.

#### See also {#see-also}

* [Enabling access via OS Login](../../../organization/operations/os-login-access.md)
* [Adding an SSH key](../../../organization/operations/add-ssh.md)
* [Exporting an SSH certificate](os-login-export-certificate.md)
* [Connecting to a Kubernetes node via OS Login](../../../managed-kubernetes/operations/node-connect-oslogin.md)
* [Using a service account with an OS Login profile for VM management via Ansible](../../../tutorials/security/sa-oslogin-ansible.md)