Static access keys compatible with the AWS API
A static access key is required to authenticate a service account in AWS-compatible APIs.
It consists of two parts:
- Key ID
- Secret key
Both parts are used in requests to the AWS-compatible API. A key ID is specified in open format. A secret key is used to sign request parameters and is not specified in the request.
It is the client's responsibility to store the secret key. Yandex Cloud gives access to it only when creating a static key.
A static key has no expiration date.
Alert
Make sure no third party has access to your secret key. Keep your key in a secure location. If your key has become known to a third party, reissue it.
To ensure security and control over access to resources, monitor cases of unauthorized use of keys, and delete unused keys without the risk of disrupting Yandex Cloud services, you can track the dates of last use of service account access keys. You can find this info on the service account page in the management console or in the last_used_at field when using the API to invoke access key management methods.
In addition to static access keys, you can use Security Token Service temporary keys, also compatible with the AWS API, to work with Yandex Object Storage.
Static key format
Key ID
A key ID consists of 25 characters and always starts with YC. Other characters may include:
- Latin letters.
- Numbers.
- Underscores (
_) and hyphens (-).
Here is an example of a key ID: YCchbYEDdcsYFBnxSWbcjDJDn.
Secret key
A secret key consists of 40 characters and always starts with YC. Other characters may include:
- Latin letters.
- Numbers.
- Underscores (
_) and hyphens (-).
Here is an example of a secret key: YCVdheub7w9bImcGAnd3dZnf08FRbvjeUFvehGvc.
For an example of using a secret key and its ID in an AWS-compliant API, see the AWS Command Line Interface section.
Services that support this authentication method
The following services support authentication based on static access keys: