Contact UsGet started

Transmitting Yandex Lockbox secrets to a function

Written by
Updated at May 5, 2025

Note

This feature is in the Preview stage.

Yandex Lockbox is a service for storing secrets. You can transmit a Yandex Lockbox secret to a function in the environment variable.

To provide a function with access to the secret, in the function parameters, specify a service account with the following roles:

A Yandex Lockbox secret provided to a function is cached in Yandex Cloud Functions. As soon as the service account can no longer access the secret, the function may store it for up to 5 minutes.

A new version of a function is created when secrets are transmitted. You cannot transmit secrets to an existing version.

  1. In the management console, select the folder containing the function.

  2. Open Cloud Functions.

  3. Select the function to transmit a Yandex Lockbox secret to.

  4. Go to the Editor tab.

  5. Under Parameters, specify:

    • In the Service account field, the service account with the lockbox.payloadViewer role.
    • In the Lockbox secrets field:
      • Name of the environment variable that will store the secret.
      • Secret ID.
      • Secret version ID.
      • Key of one of the key-value pairs in the secret version.

  6. Click Add.

    You can transmit multiple secrets to a function. To do this, click Add.

  7. Click Save changes. A new version of the function with the specified secrets will be created.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To transmit a Yandex Lockbox secret to a function, run this command:

Warning

If the secrets were already sent to the previous function version, they will be overwritten.

yc serverless function version create \
  --function-name=test \
  --runtime nodejs16 \
  --entrypoint index.main \
  --memory 128m \
  --execution-timeout 5s \
  --source-version-id vfdsdeqa1s2d3******** \
  --service-account-id bfbtfcp0o9i8******** \
  --secret environment-variable=KEY,id=fc3q4aq3w5e6********,version-id=fc3gvvz4x5c6********,key=secret-key

Where:

  • --function-name: Function name.

  • --runtime: Runtime environment.

  • --entrypoint: Entry point in <function_file_name>.<handler_name> format.

  • --memory: Amount of RAM.

  • --execution-timeout: Maximum function running time before the timeout is reached.

  • --source-version-id: ID of the function version from which you want to copy the code.

  • --service-account-id: ID of the service account with the lockbox.payloadViewer role.

  • --secret:

    • environment-variable: Name of the environment variable that will store the secret.
    • id: Secret ID.
    • version-id: Secret version ID.
    • key: Key of one of the key-value pairs in the secret version.

    You can transmit multiple secrets to a function. To do this, specify the --secret parameter as many times as needed.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Open the Terraform configuration file and add the secrets section to the function description:

    resource "yandex_function" "test-function" {
  name               = "test-function"
  description        = "Test function"
  user_hash          = "first-function"
  runtime            = "python37"
  entrypoint         = "main"
  memory             = "128"
  execution_timeout  = "10"
  service_account_id = "<service_account_ID>"
  tags               = ["my_tag"]
  secrets {
    id                   = "<secret_ID>"
    version_id           = "<secret_version_ID>"
    key                  = "<secret_1_key>"
    environment_variable = "<environment_variable_1_name>"
  }
  secrets {
    id                   = "<secret_ID>"
    version_id           = "<secret_version_ID>"
    key                  = "<secret_2_key>"
    environment_variable = "<environment_variable_2_name>"
  }

   content {
     zip_filename = "<path_to_ZIP_archive>"
   }
}

    Where:

    • secrets: Section with secret settings. It contains the following parameters:
      • id: Secret ID. This is a required parameter.
      • version_id: Secret version ID. This is a required parameter.
      • key: Key of one of the secret version's key-value pairs that will be stored in the environment variable. This is a required parameter.
      • environment_variable: Name of the environment variable that will store the secret. This is a required parameter.

    For more information about the yandex_function resource parameters, see the provider documentation.

  2. Apply the changes:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

You can check the function's update settings in the management console.

To transmit a Yandex Lockbox secret to a function, use the createVersion REST API method for the Function resource or the FunctionsService/CreateVersion gRPC API call.

Previous
Specifying a cloud network
Next
Allocating memory for the /tmp directory