[Yandex Cloud documentation](../../index.md) > [Yandex Identity Hub](../index.md) > [Step-by-step guides](index.md) > Authentication > Working with OS Login > Creating an OS Login profile

# Creating an OS Login profile

By default, [enabling the OS Login access](os-login-access.md) automatically creates [OS Login profiles](../concepts/os-login.md#os-login-profiles) for all users within your Yandex Identity Hub. At the same time, each user or [service account](../../iam/concepts/users/service-accounts.md) may have multiple OS Login profiles, which you can create manually. Different profiles allow you to connect to [VMs](../../compute/concepts/vm.md) or [Kubernetes cluster](../../managed-kubernetes/concepts/index.md#kubernetes-cluster) nodes as different local users of those VMs or Kubernetes nodes.

For service accounts, OS Login profiles are not created automatically. To connect to a VM or Kubernetes node as a service account, you need to manually create its OS Login profile.

{% note info %}

The minimum required role allowing you to view the list of OS Login user profiles is the `organization-manager.osLogins.viewer` [role](../security/index.md#organization-manager-osLogins-viewer) assigned for your organization. For information about other roles allowing you to view the list of OS Login profiles, see [Access management in Yandex Identity Hub](../security/index.md#service-roles).

{% endnote %}

To create an OS Login profile:

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization) using an administrator or organization owner account.

      [Switch](manage-organizations.md#switch-to-another-org) to an organization or federation of your choice as needed.

  1. In the left-hand panel, select ![icon-users](../../_assets/console-icons/person.svg) **Users**.
 
  1. From the list, select the user you want to create an OS Login profile for.
  
      Use the filter or search as needed.
  
  1. On the user page, go to the **OS Login Profiles** tab and click **Create profile**. In the window that opens:

      1. Enter the OS username that will be assigned to the organization user or service account when connecting to the VM. It must be unique within the folder.

          {% note info %}
          
          The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore. It must be from 1 to 32 characters long.
          
          {% endnote %}

      1. In the **ID (uid)** field, enter a unique numeric user ID (UID). It must be unique within the system.

          {% note warning %}
          
          There must be no collisions between the UIDs of the OS Login profile and the OS system profiles. If you set the UID manually, use values in the range from `1002` to `2^63 - 1` to avoid such collisions.
          
          {% endnote %}

      1. (Optional) In the **Home directory** field, enter the path to the user's home folder.

      1. (Optional) In the **Default shell** field, specify the path to the command shell executable file.

      1. Click **Create**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command for creating an OS Login profile:

      ```bash
      yc organization-manager oslogin profile create --help
      ```

  1. Get the ID of the required organization:

      ```bash
      yc organization-manager organization list
      ```

      Result:

      ```text
      +----------------------+-------------------------+-----------------------+--------+
      |          ID          |          NAME           |         TITLE         | LABELS |
      +----------------------+-------------------------+-----------------------+--------+
      | bpf1smsil5q0******** | sample-organization-1   | My organization       |        |
      | bpf2c65rqcl8******** | sample-organization-new | New organization      |        |
      +----------------------+-------------------------+-----------------------+--------+
      ```

  1. Get the required user ID by specifying the ID of the organization it belongs to:

      ```bash
      yc organization-manager user list \
        --organization-id <organization_ID>
      ```

      Result:

      ```text
      +----------------------+----------+-------------------+---------------+-----------------------+
      |          ID          | USERNAME |       EMAIL       | FEDERATION ID | LAST AUTHENTICATED AT |
      +----------------------+----------+-------------------+---------------+-----------------------+
      | rser11gh89el******** | user01   | user01@example.ru |               |                       |
      | mber02hy54km******** | user02   | user02@example.ru |               |                       |
      +----------------------+----------+-------------------+---------------+-----------------------+
      ```

      To create an OS Login profile for a service account, [get](../../iam/operations/sa/get-id.md) the service account ID.

  1. Create an OS Login profile for the selected user or service account:

      ```bash
      yc organization-manager oslogin profile create \
        --organization-id <organization_ID> \
        --subject-id <user_or_service_account_ID> \
        --login <login> \
        --uid <numeric_ID> \
        --home-directory <path_to_home_folder> \
        --shell <path_to_command_shell_executable_file>
      ```

      Where:

      * `--organization-id`: Organization ID you got earlier.
      * `--subject-id`: User or service account ID you got earlier.
      * `--login`: OS username the user will get when connected to the VM. It must be unique within the folder.

          {% note info %}
          
          The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore. It must be from 1 to 32 characters long.
          
          {% endnote %}

      * `--uid`: Unique numeric user ID (UID). It must be unique within the system.

          {% note warning %}
          
          There must be no collisions between the UIDs of the OS Login profile and the OS system profiles. If you set the UID manually, use values in the range from `1002` to `2^63 - 1` to avoid such collisions.
          
          {% endnote %}

      * `--home-directory`: Path to the user's home folder on the VM. This is an optional setting. The default value is `/home/<username>`.
      * `--shell`: Path to the command shell executable file on the VM. This is an optional setting. The default value is `/bin/bash`.

      Result:

      ```text
      id: aje6ddct3de5********
      organization_id: bpf1smsil5q0********
      subject_id: rser11gh89el********
      login: new-os-login
      uid: "100500"
      home_directory: home/username
      shell: bin/bash
      ```

- API {#api}

  Use the [createProfile](../api-ref/OsLogin/createProfile.md) REST API method for the [OsLogin](../api-ref/OsLogin/index.md) resource or the [OsLoginService/CreateProfile](../api-ref/grpc/OsLogin/createProfile.md) gRPC API call.

{% endlist %}

You can only create an OS Login profile for a service account using the [Yandex Cloud CLI](../cli-ref/oslogin/profile/create.md) or [API](../api-ref/OsLogin/createProfile.md).

#### See also {#see-also}

* [Enabling access via OS Login](os-login-access.md)
* [Adding an SSH key](add-ssh.md)
* [Connecting to a VM via OS Login](../../compute/operations/vm-connect/os-login.md)
* [Connecting to a Kubernetes node via OS Login](../../managed-kubernetes/operations/node-connect-oslogin.md)
* [Using a service account with an OS Login profile for VM management via Ansible](../tutorials/sa-oslogin-ansible.md)