Contact UsGet started

Creating an API key

Written by
Updated at November 20, 2024

This guide will tell you how to create an API key for a service account. The API key is a secret key used for simplified authorization in the Yandex Cloud API.

If you do not have a service account yet, create one and assign roles to it.

Creating an API key

To create an API key:

  1. In the management console, navigate to the folder the service account belongs to.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts.
  4. Select the service account to create an API key for. Create a new service account if needed.
  5. In the top panel, click Create new key and select Create API key.
  6. Enter a description of the key so that you can easily find it in the management console.
  7. (Optional) Select Scope. For more information about scopes, see API keys with scope and validity limits.
  8. (Optional) Specify Validity period.
  9. Click Create.
  10. Save the ID and the secret key.

Alert

After you close the dialog, the key value will become unavailable.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the create API key command:

    yc iam api-key create --help

  2. Get a list of service accounts in the default folder:

    yc iam service-account list

    Result:

    +----------------------+------------------+-------------------------------+
|          ID          |       NAME       |          DESCRIPTION          |
+----------------------+------------------+-------------------------------+
| aje6o61dvog2******** | my-robot         |                               |
| aje9sda1ufvq******** | account_name     | account_description           |
+----------------------+------------------+-------------------------------+

  3. Create an API key for the required service account and save the response to the api_key.yaml file:

    yc iam api-key create \
  --service-account-name <service_account_name> \
  --scope <scope> \
  --expires-at <date_and_time> \
  > api_key.yaml

    Where:

    • --service-account-name: Service account name. This is a required parameter.
    • --scope: Key scope. This is an optional parameter.
    • --expires-at: Key expiration date and time. This is an optional parameter.
    • api_key.yaml: File to save the response to.

    As a result, you will get the api_key.yaml file with the API key value in the secret field:

    api_key:
  id: ajeke74kbp5b********
  service_account_id: ajepg0mjt06s********
  created_at: "2019-04-09T08:41:27Z"
secret: AQVN1HHJReSrfo9jU3aopsXrJyfq_UHs********

To learn how to transmit a key in a request, read the guides for the services supporting this authorization method.

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, describe the parameters of the resources you want to create:

    resource "yandex_iam_service_account_api_key" "sa-api-key" {
  service_account_id = "<service_account_ID>"
  description        = "<key_description>"
  pgp_key            = "<PGP_key>"
}

    Where:

    • service_account_id: Service account ID. This is a required parameter.
    • description: Key description. This is an optional parameter.
    • pgp_key: Additional PGP key for encrypting a private key. Specify the public part of the key in Base64 encoding or in keybase:keybaseusername format. This is an optional parameter.

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create all the required resources. You can check the new resources and their configuration using the management console or this CLI command:

    yc iam key list --service-account-id <service_account_ID>

Create an API key using the create REST API method for the ApiKey resource:

export SERVICEACCOUNT_ID=<service_account_ID>
export IAM_TOKEN=<token>
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --data "{
      \"serviceAccountId\": \"$SERVICEACCOUNT_ID\",
      \"scope\": \"<scope>\",
      \"expiresAt\": \"<date_and_time>\"
  }" \
  https://iam.api.cloud.yandex.net/iam/v1/apiKeys

Where:

  • SERVICEACCOUNT_ID: Service account ID. This is a required parameter.
  • IAM_TOKEN: IAM token. This is a required parameter.
  • scope: Scope of the key with restricted access. This is an optional parameter.
  • expiresAt: Expiration date and time for the key with restricted access. This is an optional parameter.

You can also create an API key using the ApiKeyService/Create gRPC API call.

Viewing available scopes

To view available scopes of an API key, run this command:

yc iam api-key list-scopes

Result:

- yc.ydb.tables.manage
- yc.ydb.topics.manage

View available scopes of an API key using the ListScopes REST API method for the ApiKey resource.

You can also view available scopes of an API key using the ApiKeyService/ListScopes gRPC API call.

Examples

Adding a description when creating an API key

To add an API key description when creating the key:

yc iam api-key create --service-account-name my-robot \
  --description "this API-key is for my-robot"

Where:

  • --service-account-name: Service account name. This is a required parameter.
  • --description: API key description. This is an optional parameter.
resource "yandex_iam_service_account_api_key" "sa-api-key" {
  service_account_id = "<service_account_ID>"
  description        = "this API-key is for my-robot"
}

Where:

  • service_account_id: Service account ID. This is a required parameter.
  • description: Key description. This is an optional parameter.
export SERVICEACCOUNT_ID=<service_account_ID>
export IAM_TOKEN=<IAM_token>
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --data "{
      \"serviceAccountId\": \"$SERVICEACCOUNT_ID\",
      \"description\": \"this API-key is for my-robot\"
  }" \
  https://iam.api.cloud.yandex.net/iam/v1/apiKeys

Where:

What's next

Previous
Creating a temporary access key using Security Token Service
Next
Deleting API keys