Contact UsGet started

Using a Yandex Lockbox secret to store a static access key via the CLI

Written by
Updated at May 7, 2025

To use a static access key saved in a Yandex Lockbox secret via the CLI:

  1. Set up your environment.
  2. Save the static access key to a Yandex Lockbox secret.
  3. Use the key from the Yandex Lockbox secret for your operations with the service.

If you no longer need the resources you created, delete them.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support costs include:

  • Fee for storing one version of the Yandex Lockbox secret (see Yandex Lockbox pricing).
  • Fee for data storage in Object Storage, data operations, and outgoing traffic (you will not be charged unless there is data in the bucket). See Object Storage pricing.

Set up your environment

  1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  2. Install the AWS CLI.

    You do not need to configure the utility at this step. The required parameters, such as IDs and access keys, will be described and used in commands and environment variables further on in this guide.

Save the static access key to the Yandex Lockbox secret

  1. Create a service account, e.g., storage-bucket-sa, that you will use to perform operations in Object Storage:

    yc iam service-account create storage-bucket-sa

    Result:

    done (1s)
id: ajeplujf759j********
folder_id: b1gt6g8ht345********
created_at: "2024-05-07T19:18:37.244159066Z"
name: storage-bucket-sa

    Save the ID (id) of the service account you created: you will need it to assign roles to the service account.

    For more information about the yc iam service-account create command, see the CLI reference.

  2. Assign the storage.editor role for a folder to the service account you created.

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role storage.editor \
  --subject serviceAccount:<service_account_ID>

    Where:

    • <folder_name_or_ID>: Name or ID of the folder where you created the service account.
    • <service_account_ID>: Service account ID you saved in the previous step.

    Result:

    done (2s)
effective_deltas:
  - action: ADD
    access_binding:
      role_id: storage.editor
      subject:
        id: ajeplujf759j********
        type: serviceAccount

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

  3. Similarly, assign the lockbox.payloadViewer role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role lockbox.payloadViewer \
  --subject serviceAccount:<service_account_ID>

  4. Create a static access key for the service account. To avoid displaying its value on the screen, the key will be saved to the STATIC_KEY variable:

    STATIC_KEY=$(yc iam access-key create --service-account-name storage-bucket-sa)

    For more information about the yc iam access-key create command, see the CLI reference.

  5. Save the key ID and secret key values to the separate KEY_ID and KEY_VALUE variables:

    KEY_ID=$(echo | awk '{if (match($0, "key_id: ")) {print substr($0, RSTART + 8, 25)}}' <<< "$STATIC_KEY") \
  && KEY_VALUE=$(echo | awk '{if (match($0, "secret: ")) {print substr($0, RSTART + 8, 40)}}' <<< "$STATIC_KEY")

  6. Create a Yandex Lockbox secret named static-key containing the new static access key:

    yc lockbox secret create \
  --name static-key \
  --payload "[{'key': $KEY_ID, 'text_value': $KEY_VALUE}]" \
  --cloud-id <cloud_ID> \
  --folder-id <folder_ID> \
  --deletion-protection

    Where:

    • --cloud-id: ID of the cloud you created the service account in.
    • --folder-id: ID of the folder you created the service account in.
    • --deletion-protection: Secret deletion protection. You cannot delete a secret with this option enabled. This is an optional parameter.

    Result:

    done (1s)
id: e6qk0c62b4ep********
folder_id: b1gt6g8ht345********
created_at: "2024-05-07T20:05:51.569Z"
name: static-key
status: ACTIVE
current_version:
  id: e6qrsj2hi8ug********
  secret_id: e6qk0c62b4ep********
  created_at: "2024-05-07T20:05:51.569Z"
  status: ACTIVE
  payload_entry_keys:
    - YCAJEO4w80Zf5DERM********
deletion_protection: true

    For more information about the yc lockbox secret create command, see the CLI reference.

The service account's static access key is now saved inside the Yandex Lockbox secret.

Use the key from the Yandex Lockbox secret for your operations with the service

The example below is intended to be run in MacOS and Linux. To run it in Windows, see how to work with Bash in Microsoft Windows.

  1. Get the static access key saved in the static-key secret. To avoid displaying its value on the screen, the key will be saved to the SECRET variable:

    SECRET=$(yc lockbox payload get static-key)

    For more information about the yc lockbox payload get command, see the CLI reference.

  2. Save the key ID, secret key, and placement region to the AWS CLI environment variables:

    export AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \
  && export AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \
  && export AWS_DEFAULT_REGION="ru-central1"

    The AWS CLI will use the environment variables you created for authentication when performing operations with the service resources.

  3. Create a bucket in Object Storage by specifying a unique bucket name in the command:

    aws --endpoint-url=https://storage.yandexcloud.net \
  s3 mb s3://<bucket_name>

    Result:

    make_bucket: my-first-bucket

    This will create a new bucket in Object Storage. When creating a bucket, a static access key is used obtained from the Yandex Lockbox secret and saved in environment variables.

    You can also include the key ID, secret key, and placement region values directly in each AWS CLI command:

    AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \
  AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \
  AWS_DEFAULT_REGION="ru-central1" \
  aws --endpoint-url=https://storage.yandexcloud.net \
  s3 mb s3://<bucket_name>

    Result:

    make_bucket: my-first-bucket

How to delete the resources you created

To stop using the resources you created:

  1. Delete the secret.
  2. Delete the bucket.

See also

Previous
Overview
Next
Terraform