Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Data Streams
    • All tutorials
    • Entering data into storage systems
    • Smart log processing
    • Transferring data within microservice architectures
    • Saving data to ClickHouse®
    • Replicating logs to Object Storage using Fluent Bit
    • Replicating logs to Object Storage using Data Streams
    • Migrating data to Yandex Object Storage using Yandex Data Transfer
    • Delivering data from Yandex Managed Service for Apache Kafka® using Yandex Data Transfer
    • Delivering data from an Data Streams queue to Managed Service for YDB
    • Delivering data to Yandex Managed Service for Apache Kafka® using Yandex Data Transfer
    • YDB change data capture and delivery to YDS
    • PostgreSQL change data capture and delivery to YDS
    • MySQL® change data capture and delivery to YDS
      • Overview
      • CLI
      • Terraform
    • Streaming Yandex Cloud Postbox events to Yandex Data Streams and analyzing them using Yandex DataLens
    • Creating an interactive serverless application using WebSocket
    • Processing Audit Trails events
    • Processing CDC Debezium streams
    • Exporting audit logs to MaxPatrol SIEM
    • Searching for Yandex Cloud events in Yandex Query
  • Access management
  • Pricing policy
  • FAQ

In this article:

  • Getting started
  • Required paid resources
  • Set up your environment
  • Create an infrastructure
  • Use the key from the Yandex Lockbox secret for your operations with the service
  • How to delete the resources you created
  1. Tutorials
  2. Storing a static access key in a Yandex Lockbox secret
  3. Terraform

Using a Yandex Lockbox secret to store a static access key using Terraform

Written by
Yandex Cloud
Updated at May 7, 2025
  • Getting started
    • Required paid resources
  • Set up your environment
  • Create an infrastructure
  • Use the key from the Yandex Lockbox secret for your operations with the service
  • How to delete the resources you created

To use a static access key saved in a Yandex Lockbox secret using Terraform:

  1. Set up your environment.
  2. Create an infrastructure.
  3. Use the key from the Yandex Lockbox secret for your operations with the service.

If you no longer need the resources you created, delete them.

Getting startedGetting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resourcesRequired paid resources

The infrastructure support costs include:

  • Fee for storing one version of the Yandex Lockbox secret (see Yandex Lockbox pricing).
  • Fee for data storage in Object Storage, data operations, and outgoing traffic (you will not be charged unless there is data in the bucket). See Object Storage pricing.

Set up your environmentSet up your environment

Install the AWS CLI.

You do not need to configure the utility at this step. The required parameters, such as IDs and access keys, will be described and used in commands and environment variables further on in this guide.

Create an infrastructureCreate an infrastructure

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

To create an infrastructure using Terraform:

  1. Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, Step 1).

  2. Prepare the infrastructure description file:

    Ready-made configuration
    Manually
    1. Clone the repository with configuration files.

      git clone https://github.com/yandex-cloud-examples/yc-static-keys-in-lockbox
      
    2. Navigate to the repository directory. It should now contain the static-key-in-lockbox-config.tf file with the new infrastructure configuration.

    1. Create a folder for configuration files.

    2. Create a configuration file named static-key-in-lockbox-config.tf in the folder:

      static-key-in-lockbox-config.tf
      # Declaring user-defined variables
      
      locals {
        zone      = "<availability_zone>"
        folder_id = "<folder_ID>"
      }
      
      terraform {
        required_providers {
          yandex = {
            source  = "yandex-cloud/yandex"
            version = ">= 0.47.0"
          }
        }
      }
      
      # Configuring a provider
      
      provider "yandex" {
        zone = local.zone
      }
      
      # Creating a service account and assigning roles
      
      resource "yandex_iam_service_account" "sa" {
        folder_id = local.folder_id
        name      = "storage-bucket-sa"
      }
      
      resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
        folder_id = local.folder_id
        role      = "storage.admin"
        member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
      }
      
      resource "yandex_resourcemanager_folder_iam_member" "lockboxview" {
        folder_id = local.folder_id
        role      = "lockbox.payloadViewer"
        member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
      }
      
      # Creating a secret
      
      resource "yandex_lockbox_secret" "my_secret" {
        name                = "static-key"
        folder_id           = local.folder_id
        deletion_protection = true
      }
      
      # Creating a static access key
      
      resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
        service_account_id = yandex_iam_service_account.sa.id
        description        = "static access key for object storage"
        output_to_lockbox {
          secret_id            = yandex_lockbox_secret.my_secret.id
          entry_for_access_key = "key_id"
          entry_for_secret_key = "key"
        }
      }
      
      # Data source of the secret version
      
      data "yandex_lockbox_secret_version" "my_secret_version" {
        secret_id  = yandex_lockbox_secret.my_secret.id
        version_id = yandex_iam_service_account_static_access_key.sa-static-key.output_to_lockbox_version_id
        depends_on = [
          yandex_lockbox_secret.my_secret
        ]
      }
      
      # Output variables
      
      output "key_id" {
        value = data.yandex_lockbox_secret_version.my_secret_version.entries[1].text_value
      }
      
      output "key" {
        value = data.yandex_lockbox_secret_version.my_secret_version.entries[0].text_value
      }
      

    Learn more about the properties of Terraform resources in the provider documentation:

    • Service account: yandex_iam_service_account.
    • Assigning a role to a service account: yandex_resourcemanager_folder_iam_member.
    • Secret: yandex_lockbox_secret.
    • Static access key: yandex_iam_service_account_static_access_key.
    • Secret version: yandex_lockbox_secret_version.
  3. In the static-key-in-lockbox-config.tf file, set the following user-defined properties:

    • zone_id: Availability zone.
    • folder_id: Folder ID.
  4. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate
      

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.
      
    3. Run the command:

      terraform plan
      

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply
      
    5. Confirm the changes: type yes in the terminal and press Enter.

Once the infrastructure is created, use the key from the secret for your operations with the service.

Use the key from the Yandex Lockbox secret for your operations with the serviceUse the key from the Yandex Lockbox secret for your operations with the service

The example below is intended to be run in MacOS and Linux. To run it in Windows, see how to work with Bash in Microsoft Windows.

Use the key from the Yandex Lockbox secret and create a bucket in Object Storage:

  1. Save the key ID, secret key, and placement region to the AWS CLI environment variables:

    AWS_ACCESS_KEY_ID=$(terraform output key_id)
    AWS_SECRET_ACCESS_KEY=$(terraform output key)
    AWS_DEFAULT_REGION="ru-central1"
    

    The AWS CLI will use the environment variables you created for authentication when performing operations with the service resources.

  2. Create a bucket in Object Storage by specifying a unique bucket name in the command:

    AWS CLI
    aws --endpoint-url=https://storage.yandexcloud.net \
      s3 mb s3://<bucket_name>
    

    Result:

    make_bucket: my-first-bucket
    

    This will create a new bucket in Object Storage. When creating a bucket, a static access key is used obtained from the Yandex Lockbox secret and saved in environment variables.

    You can also include the key ID, secret key, and placement region values directly in each AWS CLI command:

    AWS CLI
    AWS_ACCESS_KEY_ID=$(terraform output key_id) \
    AWS_SECRET_ACCESS_KEY=$(terraform output key) \
    AWS_DEFAULT_REGION="ru-central1" \
    aws --endpoint-url=https://storage.yandexcloud.net \
      s3 mb s3://<bucket_name>
    

    Result:

    make_bucket: my-first-bucket
    

How to delete the resources you createdHow to delete the resources you created

To stop paying for the resources you created:

  1. Delete the bucket.

  2. Open the static-key-in-lockbox-config.tf configuration file and delete the description of the new infrastructure from it.

  3. Apply the changes:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate
      

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.
      
    3. Run the command:

      terraform plan
      

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply
      
    5. Confirm the changes: type yes in the terminal and press Enter.

See alsoSee also

  • Using a Yandex Lockbox secret to store a static access key via the CLI

Was the article helpful?

Previous
CLI
Next
Streaming Yandex Cloud Postbox events to Yandex Data Streams and analyzing them using Yandex DataLens
Yandex project
© 2025 Yandex.Cloud LLC