using google/yandex oslogin with certificate

requirements

assuming the sa exists already with roles compute.osAdminLogin compute.operator

setup

    YC_CLOUD_ID=`yc config get cloud-id`
    YC_FOLDER_ID=`yc config get folder-id`

    echo $YC_CLOUD_ID
    echo $YC_FOLDER_ID

cd ~/.config/
cp -R yandex-cloud/ yandex-cloud.`date +%s`/
cd yandex-cloud/

sa=ansible-oslogin-test-sa

yc iam key create \
    --cloud-id $YC_CLOUD_ID \
    --folder-id $YC_FOLDER_ID \
    --service-account-name $sa \
    --description "$USER@$HOSTNAME $sa-key.json" \
    --output $sa-key.json
chmod 400 $sa-key.json

# --or--
# --service-account-id

yc config profile create $sa
yc config set service-account-key $sa-key.json
yc config set cloud-id $YC_CLOUD_ID
yc config set folder-id $YC_FOLDER_ID

check that you can reach the instance using the CLI

yc compute ssh --name test-host1 --folder-id $YC_FOLDER_ID

notice the username?… it has a prefix (see below).

ready to go

now create the oslogin certificate (valid one hour)

#yc organization-manager organization list
yc compute ssh certificate export
    #--organization-id
    #--directory 

now let’s try to auth into the compute node using oslogin – don’t forget the yc-sa- prefix!

ssh INSTANCE-ADDRESS -l yc-sa-$sa \
    -i $HOME/.ssh/yc-organization-id-...-yc-sa-ansible-oslogin-test-sa-cert.pub

notice the username is also hard-coded within the certificate file-name.

clean-up

back to normal

yc config profile list
yc config profile activate test

resources

yc iam key create https://yandex.cloud/en/docs/cli/cli-ref/managed-services/iam/key/create

Authenticate as a service account https://yandex.cloud/en/docs/cli/operations/authentication/service-account#auth-as-sa

Exporting an OS Login certificate https://yandex.cloud/en/docs/compute/operations/vm-connect/os-login-export-certificate


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun