Contact UsGet started

Managing static access keys

Written by
Updated at May 5, 2025

Some Yandex Cloud services support authentication with static access keys.

Static access keys are created for service accounts. If you do not have a service account yet, create one and assign roles to it.

Creating a static access key

To create a service account static access key:

  1. In the management console, navigate to the folder the service account belongs to.

  2. From the list of services, select Identity and Access Management.

  3. In the left-hand panel, select Service accounts.

  4. Select the service account to create a static access key for.

  5. In the top panel, click Create new key and select Create static access key.

  6. Specify the key description and click Create.

  7. Save the ID and secret key.

    Alert

    After you close this dialog, the key value will not be shown again.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the create static access key command:

    yc iam access-key create --help

  2. Select a service account, e.g., my-robot:

    yc iam service-account list

    Result:

    +----------------------+------------------+-------------------------------+
|          ID          |       NAME       |          DESCRIPTION          |
+----------------------+------------------+-------------------------------+
| aje6o61dvog2******** | my-robot         |                               |
| aje9sda1ufvq******** | account_name     | account_description           |
+----------------------+------------------+-------------------------------+

  3. Create an access key for the my-robot service account:

    yc iam access-key create --service-account-name my-robot

    Result:

    access_key:
  id: aje6t3vsbj8l********
  service_account_id: ajepg0mjt06s********
  created_at: "2018-11-22T14:37:51Z"
  key_id: 0n8X6WY6S24N********
secret: JyTRFdqw8t1kh2-OJNz4JX5ZTz9Dj1rI********

  4. Save the ID (key_id) and secret key (secret). You will not be able to get the key again.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the configuration file, define the parameters of the resources you want to create:

    resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = "<service_account_ID>"
  description        = "<key_description>"
  pgp_key            = "keybase:keybaseusername"
  output_to_lockbox  {
    secret_id             = "<Lockbox_secret_ID>"
    entry_for_access_key  = "<secret’s_key_for_static_key_ID>"
    entry_for_secret_key  = "<secret’s_key_for_secret_key>"
  }
}

    Where:

    • service_account_id: This is a required parameter.

    • description: Key description. This is an optional parameter.

    • pgp_key: Additional PGP key for encrypting a private key. This is an optional parameter. Specify the public part of the key in Base64 encoding or in keybase:keybaseusername format.

    • output_to_lockbox: Description of the Yandex Lockbox secret to save the secret key values in to prevent their possible leakage through the terraform.tfstate file. This is an optional parameter. Nested parameters:

      • secret_id: ID of the Yandex Lockbox secret to store the key ID and secret key in. The secret must be custom.
      • entry_for_access_key: Secret key to assign to the static access key ID value you are saving.
      • entry_for_secret_key: Secret key to assign to the secret key value you are saving.

    For more information about the yandex_iam_service_account_static_access_key parameters in Terraform, see the relevant Terraform article.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the static access key: type yes in the terminal and press Enter.

      If any errors occur when creating the key, Terraform will indicate them.
      If the key is successfully created, Terraform will write it into its configuration, but will not show it to the user. The terminal will display only the ID of the created key.

      You can check the new service account key in the management console or using the CLI command:

      yc iam access-key list --service-account-name=<service_account_name>

Use the create REST API method for the AccessKey resource or the AccessKeyService/Create gRPC API call.

Examples

Add a description when creating a service account

Add a description when creating an access key.

yc iam access-key create \
  --service-account-name my-robot \
  --description "this key is for my bucket"

resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = "<service_account_ID>"
  description        = "this key is for my bucket"
  pgp_key            = "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+x....."
}

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
      "serviceAccountId": "<service_account_ID>",
      "description": "this key is for my bucket"
  }' \
  https://iam.api.cloud.yandex.net/iam/aws-compatibility/v1/accessKeys

Deleting a static access key

To delete a service account static access key:

  1. In the management console, navigate to the folder the service account belongs to.
  2. From the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts and select the service account.
  4. Under Static access keys, click in the row with the key to delete, and select Delete.
  5. In the window that opens, click Delete.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Get a list of static access keys of the service account by specifying its name:

    yc iam access-key list \
  --service-account-name <service_account_name>

    Result:

    +----------------------+----------------------+----------------------+
|          ID          |  SERVICE ACCOUNT ID  |        KEY ID        |
+----------------------+----------------------+----------------------+
| aje8bdtqec6l******** | ajeedllrkjma******** | R9JK04o1Dfaf******** |
| ajegqpa91bta******** | ajeedllrkjma******** | cWXGkDoBRho5******** |
+----------------------+----------------------+----------------------+

  2. Delete the static access key by specifying its ID:

    yc iam access-key delete <key_ID>

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Open the Terraform configuration file and delete the section with the static access key description.

    Example of a static access key description in the Terraform configuration:

    resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = "<service_account_ID>"
  description        = "<key_description>"
  pgp_key            = "keybase:keybaseusername"
  output_to_lockbox  {
    secret_id             = "<Lockbox_secret_ID>"
    entry_for_access_key  = "<secret’s_key_for_static_key_ID>"
    entry_for_secret_key  = "<secret’s_key_for_secret_key>"
  }
}

    For more information about the resources you can create with Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating and deleting the resources by typing yes in the terminal and clicking Enter.

    This will create or delete all resources you need in the specified folder. You can check the new resources and their settings or make sure the resources were deleted using the management console and this CLI command:

    yc iam access-key list --service-account-id <service_account_ID>

Use the delete REST API method for the AccessKey REST API resource or the AccessKeyService/Delete gRPC API call.

See also

Previous
Revoking a refresh token
Next
Managing API keys