Service accounts

A service account is an account that can be used by a program to manage resources in Yandex Cloud.

What are service accounts used forWhat are service accounts used for

By using service accounts you can flexibly configure access rights to resources for programs you wrote.

For example, let's assume you have an app for tracking VM statuses. This app only needs to have the view permissions (the viewer role); however, it runs under your name and you have the right to delete VMs.

To prevent your app from accidentally deleting a VM, create a service account and grant it view-only access.

Make sure the service account name is unique within your cloud.

In the management console, the page with service account information shows the date and time of the most recent authentication. This information helps track cases of unauthorized access to service accounts.

How service accounts differ from other accountsHow service accounts differ from other accounts

• Currently, you cannot use service accounts to log in to the management console. We assume that programs, rather than users, perform operations on behalf of service accounts.

• The service account is a resource. You can assign and revoke users' roles for a service account. For example, you can allow other people to use this service account to access Yandex Cloud. To assign a role for a service account, you need the iam.serviceAccounts.admin role.

• You can create keys for the service account to authenticate in Yandex Cloud via the API, CLI, or other tools. Those keys are deleted when you delete the service account.

• You can link your service account to virtual machines and functions that you run your program from.

  This makes it easier to scale applications running on Yandex Cloud:

  • You do not need to edit the program code to make it run on a new VM or function. The IAM authentication token is already available from inside.
  • To enable or disable operations in Yandex Cloud for all running program instances, you can assign or revoke roles for a single service account.

Service account keysService account keys

The following keys are used for service account authentication in Yandex Cloud:

• Authorized keys: Keys used to get an IAM token.
• API keys: Keys used in some services for simplified authentication instead of IAM tokens.
• Static access keys: Keys used in services with AWS-compatible APIs.

Generated keys belong to the service account and permissions to manage them are inherited from the service account. For example, if you have the viewer role for the service account, you can view the list of keys belonging to this account but you cannot delete them or create new keys.

To ensure security and control over access to resources, monitor cases of unauthorized use of keys, and delete unused keys without the risk of disrupting Yandex Cloud services, you can track the dates of last use of service account access keys. You can find this info on the service account page in the management console or in the last_used_at field when using the API to invoke access key management methods.

See alsoSee also

• Getting started with service accounts
• Authorization as a service account