OpenMCF logoOpenMCF

Loading...

Hetzner Cloud SSH Key

Registers an SSH public key in a Hetzner Cloud account for injection into servers at creation time. Supports RSA (>= 1024 bits), ED25519, and ECDSA key types. The key name and labels are derived from resource metadata, leaving only the public key content as the user-specified field.

What Gets Created

When you deploy a HetznerCloudSshKey resource, OpenMCF provisions:

  • SSH Key — an hcloud_ssh_key resource containing the public key material, a display name derived from metadata.name, and standard labels computed from resource metadata. The key is registered at the account level and referenced by servers via its numeric ID.

Prerequisites

  • Hetzner Cloud API token configured via environment variable (HCLOUD_TOKEN) or OpenMCF provider config
  • An SSH key pair generated locally (e.g., ssh-keygen -t ed25519). Only the public key is needed.

Quick Start

Create a file ssh-key.yaml:

apiVersion: hetzner-cloud.openmcf.org/v1
kind: HetznerCloudSshKey
metadata:
  name: deploy-key
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.HetznerCloudSshKey.deploy-key
spec:
  publicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExampleKeyData deploy@ci"

Deploy:

openmcf apply -f ssh-key.yaml

This registers an ED25519 SSH public key named deploy-key in your Hetzner Cloud account.

Configuration Reference

Required Fields

FieldTypeDescriptionValidation
publicKeystringSSH public key in OpenSSH authorized_keys format. Supports ED25519, RSA (>= 1024 bits), and ECDSA. Changing this value forces replacement of the resource.Required, non-empty (min_len = 1)

Optional Fields

This component has no optional spec fields. The SSH key name is derived from metadata.name and labels are computed from resource metadata.

Examples

Minimal ED25519 Key

The simplest deployment: a single ED25519 key with no organizational context.

apiVersion: hetzner-cloud.openmcf.org/v1
kind: HetznerCloudSshKey
metadata:
  name: my-key
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: my-org
    pulumi.openmcf.org/project: my-project
    pulumi.openmcf.org/stack.name: dev.HetznerCloudSshKey.my-key
spec:
  publicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIExampleKeyData user@host"

Production Key with Org and Environment

A key scoped to a specific organization and environment. The metadata drives label generation for resource tracking.

apiVersion: hetzner-cloud.openmcf.org/v1
kind: HetznerCloudSshKey
metadata:
  name: prod-deploy-key
  org: acme-corp
  env: production
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme-corp
    pulumi.openmcf.org/project: infrastructure
    pulumi.openmcf.org/stack.name: production.HetznerCloudSshKey.prod-deploy-key
    team: platform
spec:
  publicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIProdDeployKeyData deploy@acme-ci"

Server Composition via valueFrom

An SSH key referenced by a HetznerCloudServer using valueFrom. The server receives the key's numeric ID from the SSH key's stack outputs, establishing a dependency edge in the deployment DAG.

apiVersion: hetzner-cloud.openmcf.org/v1
kind: HetznerCloudSshKey
metadata:
  name: web-key
  org: acme-corp
  env: production
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme-corp
    pulumi.openmcf.org/project: infrastructure
    pulumi.openmcf.org/stack.name: production.HetznerCloudSshKey.web-key
spec:
  publicKey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIWebKeyData web-deploy@acme"

The server references this key:

apiVersion: hetzner-cloud.openmcf.org/v1
kind: HetznerCloudServer
metadata:
  name: web-01
  org: acme-corp
  env: production
  labels:
    openmcf.org/provisioner: pulumi
    pulumi.openmcf.org/organization: acme-corp
    pulumi.openmcf.org/project: infrastructure
    pulumi.openmcf.org/stack.name: production.HetznerCloudServer.web-01
spec:
  serverType: cx22
  image: ubuntu-24.04
  location: fsn1
  sshKeyIds:
    - valueFrom:
        kind: HetznerCloudSshKey
        name: web-key
        fieldPath: status.outputs.ssh_key_id

Stack Outputs

OutputTypeDescription
ssh_key_idstringHetzner Cloud numeric ID of the created SSH key. Referenced by HetznerCloudServer via sshKeyIds.
fingerprintstringMD5 fingerprint of the SSH public key (e.g., "aa:bb:cc:dd:..."). Computed by Hetzner Cloud from the uploaded key material.

Related Components

  • HetznerCloudServer — References SSH key IDs for password-less access at server boot
  • HetznerCloudFirewall — Commonly deployed alongside SSH keys to restrict SSH port access

Next article

Hetzner Cloud Volume

Hetzner Cloud Volume Provisions a Hetzner Cloud block storage volume with an optional server attachment. Volumes persist independently of any server, making them the standard mechanism for data that must survive server replacement — databases, application state, and uploaded files. Size can be increased online after creation but can never be decreased. What Gets Created Block Storage Volume — an hcloudvolume resource with the specified size, location, optional filesystem format (ext4 or xfs),...
Read next article
Presets
1 ready-to-deploy configurationView presets →