Cloud Identity Service (SSH)

SSH (Secure Shell) is a protocol providing secure connection over an insecure network. Authentication using SSH keys is widely used for remote login. EPAM Cloud supports SSH key management, storage and usage in accessing its services.

Have a Question?

The current page gives the general information on the service and the main workflows. However, while working with the services, our users encounter new questions they need assistance with. The most frequently asked questions on EPAM Cloud Services are gathered on the Cloud Services FAQ page.
Visit the page to check whether we have a ready answer for your question.

Related CLI Commands

The table below provides the list of service-related commands and their descriptions:

Command Short Command Description
or2-create-keypair or2addkey Creates a public and private SSH keys for the specified project and region
or2-import-keypair or2ikey Imports an SSH key pair from another region
or2-describe-keypairs or2dkey Lists the SSH keys existing for the specified project and region
or2-delete-keypair or2delkey Deletes the specified SSH key

Further on this page, you can find the examples of the commands usage for SSH keys manipulation.

SSH Keys Usage in EPAM Cloud

Within EPAM Cloud, you can log in to your virtual machines using your EPAM domain credentials. However, if you are logging in via an insecure connection and do not want to send the credentials or if your VM is Linux-based, you need to use SSH keys to connect to your VM.

In addition, most of the platform services deployed in Cloud require SSH keys to log in. Also, activation of all platform services in AWS regions always requires an SSH key.

Particularly, the following platform services in EPAM Cloud are always activated with an SSH key:

  • Docker, the containerization service.
  • Kubernetes, the platform used to manage containers
  • Ambari, the Hadoop cluster management platform
  • Gerrit, the code review platform
  • Ansible, the auto-configuration platform for Linux-based systems

SSH key is a matching pair of files, a public key file and a private key file. The public key file is stored in EPAM Orchestrator while the private one is stored securely on your local workstation. When you log in, you specify the path to the private key file which is matched to the corresponding public key file. If the match is correct, you are properly authenticated and can log in.

One or several SSH keys can be created for each project. You can use the same SSH key to access multiple virtual machines.

SSH Key Pair Creation

EPAM Orchestrator has a native mechanism of creating SSH key pairs to be used for running instances in Cloud. To create a key pair, the following Maestro CLI command is used:

or2addkey -p project -r region -k key_name -s size

This command creates a key pair to be used with the specified project and region. The -s/--size parameter is optional and defines the key size. The default key size value is 4096 bit, and the minimum is 2048. If the command contains a value lower than 2048, a 2048-bit key will be created.

The public part of the SSH key is stored in EPAM Orchestrator and the private part is stored locally. The response to the command shows the path to the private key file:

The key pair created for a certain project and region is valid only for accessing virtual resources in that project and region.

When you create an SSH key on Linux, the private key file is by default saved with 644 permission, which means low security level. We recommended running the following command to make the key file more secure:

chmod 600 private_key_path

Key Import

An SSH key created using a third-party tool can be imported to EPAM Orchestrator. To import the key, use the following command specifying the full path to the public key file:

or2ikey -p project -d destination_region -k mykey -f D:\maestro\out\DEMOPRO\DEMO_REGION\mykey.pem

If the key has been created in EPAM Orchestrator, its public file is already stored there. In this case, to import the key to another region you only need to specify the region in which the key is currently stored and the destination region:

or2ikey -p project -s source_region -d destination_region -k mykey

Please use the following links for the detailed guidelines on retrieving public AWS keys:

A key created with AWS tools will be referenced in EPAM Cloud under the same name which was assigned to it during creation.

The keys created before November 7, 2015, are incompatible with Azure.

Describing Keys

You can retrieve the list of all keys existing for the specified project and region using the following command:

or2dkey -p project -r region

Deleting Keys

A key pair can be deleted by its owner, if necessary. If any virtual machines were launched using the key pair, you will be able to access them using your private key even after you delete the key pair. However, you will not be able to launch new virtual machines with it. To delete a key pair, use the following command:

or2delkey -p project -r region -k key_name

The command only deletes public keys stored in Orchestrator. To delete your private keys as well, delete them manually following the path specified during the key pair creation.

Logging in Using SSH Key

Private Regions

For Private Cloud we provide two ways of access to VMs:

  • - Using your domain authorization without SSH if the key was not specified at VM creation.
  • - Using the key specified on and your Domain username (with
  • - Using the key specified at VM creation and the default username, depending on the instance OS:

Image Username
CentOS family centos
Debian family admin
Ubuntu family ubuntu
CoreOS family core
Amazon Linux ec2-user

Public Regions

For Public Cloud providers (non EPAM region type) SSH key authorization is used. When creating a VM, you need to specify the name of the SSH key to be used. When authorizing, you can use one of the following combinations:

  • - Using the specified SSH key and the default username, depending on the instance OS.

Image Username
CentOS family centos
Debian family admin (AWS. Google) debian (Azure)
Ubuntu family ubuntu
CoreOS family core
Amazon Linux ec2-user

  • - Using the key specified on and your Domain username (with

Also, in Azure Cloud you can run a VM without specifying SSH key name. In this case you will receive an email containing automatically generated username and password. Password authorization is less secure than the SSH one. We recommend using it for training purposes and temporary VMs. According to best practices, it is beeter to use SSH key authorization and disable temporary user and password access

Using SSH Keys to Run Virtual Machines

Once you have a SSH key pair, you can use it to access virtual machines. In this case, the VM should be launched specifying the SSH key, otherwise SSH access will not be possible. And vice versa, any VM launched with an SSH key is accessible only with such key.

To launch a VM with an SSH key, use the following command:

or2run -p project -r region -i image -s shape -k key_name

If you launch the VM via the Cloud Console, specify the SSH key in the instance run template:

If you create instances in AWS using AWS Management Console, the keys usage process is the same, except for the SSH key creation and assignment to a VM: this is done via AWS UI on instance creation stage. The connection via SSH is performed the same way. For more details please refer to the Hybrid Cloud Guide


The Keystore Service (key creation and storage) is provided free of charge.