Cloud Identity Service (SSH)

SSH (Secure Shell) is a protocol providing secure connection over an insecure network. Authentication using SSH keys is widely used for remote login. EPAM Cloud supports SSH key management, storage and usage in accessing its services.

Have a Question?

The current page gives the general information on the service and the main workflows. However, while working with the services, our users encounter new questions they need assistance with. The most frequently asked questions on EPAM Cloud Services are gathered on the Cloud Services FAQ page.
Visit the page to check whether we have a ready answer for your question.

Related CLI Commands

The table below provides the list of service-related commands and their descriptions:

Command Short Command Description
or2-create-keypair or2addkey Creates a public and private SSH keys for the specified project and region
or2-import-keypair or2ikey Imports an SSH key pair from another region
or2-describe-keypairs or2dkey Lists the SSH keys existing for the specified project and region
or2-delete-keypair or2delkey Deletes the specified SSH key

Further on this page, you can find the examples of the commands usage for SSH keys manipulation.

You can create, import, describe, and delete SSH keys not only by Maestro CLI commands but also in the Cloud UI Dashboard via the Manage Keys wizard.

SSH Keys Usage in EPAM Cloud

In private regions of EPAM Cloud, you can log in to your VMs with your EPAM domain credentials via the password authorization. However, if you use untrusted communication channels (mobile providers, public WIFI, etc.) and do not want to use a plain password, you can use SSH keys to secure your VM connection.

By default, password authorization is disabled for the most public cloud providers. So, SSH authentication is a standard approach for secure connection.

SSH authentication is required to activate platform services in all public clouds.

These platform services are always activated with an SSH key in EPAM Cloud:

  • Docker, the containerization service
  • OpenShift and Kubernetes, platforms used for managing containers
  • Gerrit, the code review platform
  • Ansible, the tool for configuration management and application deployment

SSH key is a matching pair of files, a public key file and a private key file. In EPAM Cloud, public keys are stored in EPAM Orchestrator while private ones are stored securely on your local workstation. When you log in, you specify the path to the private key that has a matching public key. If the match is correct, you are properly authenticated and can log in.

One or several SSH keys may be created for each project. You can use the same SSH key to access multiple virtual machines.

Creating SSH Keys

EPAM Orchestrator has a native mechanism of creating SSH key pairs to be used for running instances in Cloud. To create a key pair, the following Maestro CLI command is used:

or2addkey -p project -r region -k key_name -s size

The -s/--size parameter is optional and defines the key size. The default key size value is 4096 bit, and the minimum is 2048. If the command contains a value lower than 2048, a 2048-bit key will be created.

This command creates a key pair to be used with the specified project and region:

Public keys of the SSH key pairs are stored in EPAM Orchestrator, and private keys are stored locally in the Maestro CLI directory following this path pattern - \out\project\region\key_name.pem.

For security reasons. all generated .pem files have 600 file permission.

The created private key can be used for authorizing to a virtual machine in the specified project and region. If you want to use the same key pair for another region/s, you need to import the public key specifically.

Importing SSH Keys

An SSH key created using a third-party tool can be imported to EPAM Orchestrator. To import the key, execute this command and specify the full path to the public key file:

or2ikey -p project -d destination_region -k key_name -f path\to\public\key\

If the key has been created in EPAM Orchestrator, its public file is already stored there. In this case, to import the key to another region you only need to specify the region in which the key is currently stored and the destination region:

or2ikey -p project -s source_region -d destination_region -k key_name

In Azure, SSH keys should be created for the specified region. It is possible to import keys from other Azure regions, but they cannot be imported from other cloud providers or as files.

Here are detailed guidelines on retrieving public AWS keys:

Describing SSH Keys

You can retrieve the list of all keys existing for the specified project and region using this command:

or2dkey -p project -r region

Deleting SSH Keys

To delete an SSH key pair, execute this command::

or2delkey -p project -r region -k key_name

This command only deletes public keys stored in Orchestrator. To delete your private keys as well, delete them manually.

Only key owner can delete the SSH key.

Once the SSH key pair has been deleted from EPAM Orchestrator project and region, you can still use its private key to access VMs which were created with this key (though you cannot use it to run the new ones).

Running a New Instance with SSH Keys

Once you have a SSH key pair, you can use it to run virtual machines:

or2run -p project -r region -i image -s shape -k key_name

If you used SSH keys to run an instance, you will be able to access it only with these SSH keys.

Accessing VMs with SSH Keys

Private regions

There are two ways to access virtual machines in private regions.


Using your corporate email in format with domain credentials (AD password) or with a public key specified at

This authorization model can be used only by project members.

You can use this authorization model to access virtual macOS instances only. To access the hardware macOS instances, please follow these instructions.


Using the default username related to the OS with the key specified when this VM was created:

Image Username
CentOS family centos
Oracle Linux oracle
Debian family admin
Ubuntu family ubuntu
CoreOS family core
Amazon Linux ec2-user

If you run a new instance with the disabled autoconfiguration (the --auto-configuration-disabled flag is set), the SSH key pair created with it is stored in the owner’s home folder. Later the owner can use these keys with his/her corporate email to access this virtual machine.

Public regions

For public cloud providers, the SSH key authorization is solely used.

When you run a new virtual machine, you must specify the name of the specific SSH key pair created beforehand or imported to this region. This SSH key pair will further be used for accessing this VM.

To access a VM, specify the default SSH username listed in the official documentation of the cloud provider in combination with the SSH key created with the VM.

Frequently used usernames are given in this table:

Image AWS Azure GCP
CentOS family centos centos centos
Oracle Linux **available only via AWS Marketplace oracle **not available
Debian family debian admin debian
Ubuntu family ubuntu ubuntu ubuntu
CoreOS family core core core
Amazon Linux ec2-user
** frequently used for AMIs
**not available **not available

In Azure, you can run a VM without specifying the SSH key name. In this case, you will receive an email containing the automatically generated username and password. However, password authorization is less secure than the SSH one, and we recommend using it only for training purposes and temporary VMs. According to best practices, it is better to use SSH key authorization and disable temporary user and password access.

If you use native GCP or Azure consoles, you can specify the username when running a VM.


The Keystore Service (key creation and storage) is provided free of charge.