assuming the sa exists already with roles compute.osAdminLogin
compute.operator
YC_CLOUD_ID=`yc config get cloud-id` YC_FOLDER_ID=`yc config get folder-id` echo $YC_CLOUD_ID echo $YC_FOLDER_ID cd ~/.config/ cp -R yandex-cloud/ yandex-cloud.`date +%s`/ cd yandex-cloud/ sa=ansible-oslogin-test-sa yc iam key create \ --cloud-id $YC_CLOUD_ID \ --folder-id $YC_FOLDER_ID \ --service-account-name $sa \ --description "$USER@$HOSTNAME $sa-key.json" \ --output $sa-key.json chmod 400 $sa-key.json # --or-- # --service-account-id yc config profile create $sa yc config set service-account-key $sa-key.json yc config set cloud-id $YC_CLOUD_ID yc config set folder-id $YC_FOLDER_ID
check that you can reach the instance using the CLI
yc compute ssh --name test-host1 --folder-id $YC_FOLDER_ID
notice the username?… it has a prefix (see below).
now create the oslogin certificate (valid one hour)
#yc organization-manager organization list yc compute ssh certificate export #--organization-id #--directory
now let’s try to auth into the compute node using oslogin
– don’t forget the yc-sa-
prefix!
ssh INSTANCE-ADDRESS -l yc-sa-$sa \ -i $HOME/.ssh/yc-organization-id-...-yc-sa-ansible-oslogin-test-sa-cert.pub
notice the username is also hard-coded within the certificate file-name.
back to normal
yc config profile list yc config profile activate test
yc iam key create https://yandex.cloud/en/docs/cli/cli-ref/managed-services/iam/key/create
Authenticate as a service account https://yandex.cloud/en/docs/cli/operations/authentication/service-account#auth-as-sa
Exporting an OS Login certificate https://yandex.cloud/en/docs/compute/operations/vm-connect/os-login-export-certificate