Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Identity and Access Management
    • All guides
    • Handling secrets that are available in the public domain
      • Managing static access keys
      • Managing API keys
      • Managing authorized keys
      • Creating a temporary access key using Security Token Service
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Creating a static access key
  • Examples
  • Deleting a static access key
  1. Step-by-step guides
  2. Authentication
  3. Managing static access keys

Managing static access keys

Written by
Yandex Cloud
Updated at May 5, 2025
  • Creating a static access key
    • Examples
  • Deleting a static access key

Some Yandex Cloud services support authentication with static access keys.

Static access keys are created for service accounts. If you do not have a service account yet, create one and assign roles to it.

Creating a static access keyCreating a static access key

To create a service account static access key:

Management console
CLI
Terraform
API
  1. In the management console, navigate to the folder the service account belongs to.

  2. From the list of services, select Identity and Access Management.

  3. In the left-hand panel, select Service accounts.

  4. Select the service account to create a static access key for.

  5. In the top panel, click Create new key and select Create static access key.

  6. Specify the key description and click Create.

  7. Save the ID and secret key.

    Alert

    After you close this dialog, the key value will not be shown again.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the create static access key command:

    yc iam access-key create --help
    
  2. Select a service account, e.g., my-robot:

    yc iam service-account list
    

    Result:

    +----------------------+------------------+-------------------------------+
    |          ID          |       NAME       |          DESCRIPTION          |
    +----------------------+------------------+-------------------------------+
    | aje6o61dvog2******** | my-robot         |                               |
    | aje9sda1ufvq******** | account_name     | account_description           |
    +----------------------+------------------+-------------------------------+
    
  3. Create an access key for the my-robot service account:

    yc iam access-key create --service-account-name my-robot
    

    Result:

    access_key:
      id: aje6t3vsbj8l********
      service_account_id: ajepg0mjt06s********
      created_at: "2018-11-22T14:37:51Z"
      key_id: 0n8X6WY6S24N********
    secret: JyTRFdqw8t1kh2-OJNz4JX5ZTz9Dj1rI********
    
  4. Save the ID (key_id) and secret key (secret). You will not be able to get the key again.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the configuration file, define the parameters of the resources you want to create:

    resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
      service_account_id = "<service_account_ID>"
      description        = "<key_description>"
      pgp_key            = "keybase:keybaseusername"
      output_to_lockbox  {
        secret_id             = "<Lockbox_secret_ID>"
        entry_for_access_key  = "<secret’s_key_for_static_key_ID>"
        entry_for_secret_key  = "<secret’s_key_for_secret_key>"
      }
    }
    

    Where:

    • service_account_id: This is a required parameter.

    • description: Key description. This is an optional parameter.

    • pgp_key: Additional PGP key for encrypting a private key. This is an optional parameter. Specify the public part of the key in Base64 encoding or in keybase:keybaseusername format.

    • output_to_lockbox: Description of the Yandex Lockbox secret to save the secret key values in to prevent their possible leakage through the terraform.tfstate file. This is an optional parameter. Nested parameters:

      • secret_id: ID of the Yandex Lockbox secret to store the key ID and secret key in. The secret must be custom.
      • entry_for_access_key: Secret key to assign to the static access key ID value you are saving.
      • entry_for_secret_key: Secret key to assign to the secret key value you are saving.

    For more information about the yandex_iam_service_account_static_access_key parameters in Terraform, see the relevant Terraform article.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan
      

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply
      
    2. Confirm creating the static access key: type yes in the terminal and press Enter.

      If any errors occur when creating the key, Terraform will indicate them.
      If the key is successfully created, Terraform will write it into its configuration, but will not show it to the user. The terminal will display only the ID of the created key.

      You can check the new service account key in the management console or using the CLI command:

      yc iam access-key list --service-account-name=<service_account_name>
      

Use the create REST API method for the AccessKey resource or the AccessKeyService/Create gRPC API call.

ExamplesExamples

Add a description when creating a service accountAdd a description when creating a service account

Add a description when creating an access key.

CLI
Terraform
API
yc iam access-key create \
  --service-account-name my-robot \
  --description "this key is for my bucket"
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = "<service_account_ID>"
  description        = "this key is for my bucket"
  pgp_key            = "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+x....."
}
curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
      "serviceAccountId": "<service_account_ID>",
      "description": "this key is for my bucket"
  }' \
  https://iam.api.cloud.yandex.net/iam/aws-compatibility/v1/accessKeys

Deleting a static access keyDeleting a static access key

To delete a service account static access key:

Management console
CLI
Terraform
API
  1. In the management console, navigate to the folder the service account belongs to.
  2. From the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts and select the service account.
  4. Under Static access keys, click in the row with the key to delete, and select Delete.
  5. In the window that opens, click Delete.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Get a list of static access keys of the service account by specifying its name:

    yc iam access-key list \
      --service-account-name <service_account_name>
    

    Result:

    +----------------------+----------------------+----------------------+
    |          ID          |  SERVICE ACCOUNT ID  |        KEY ID        |
    +----------------------+----------------------+----------------------+
    | aje8bdtqec6l******** | ajeedllrkjma******** | R9JK04o1Dfaf******** |
    | ajegqpa91bta******** | ajeedllrkjma******** | cWXGkDoBRho5******** |
    +----------------------+----------------------+----------------------+
    
  2. Delete the static access key by specifying its ID:

    yc iam access-key delete <key_ID>
    

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Open the Terraform configuration file and delete the section with the static access key description.

    Example of a static access key description in the Terraform configuration:

    resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
      service_account_id = "<service_account_ID>"
      description        = "<key_description>"
      pgp_key            = "keybase:keybaseusername"
      output_to_lockbox  {
        secret_id             = "<Lockbox_secret_ID>"
        entry_for_access_key  = "<secret’s_key_for_static_key_ID>"
        entry_for_secret_key  = "<secret’s_key_for_secret_key>"
      }
    }
    

    For more information about the resources you can create with Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan
      

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply
      
    2. Confirm creating and deleting the resources by typing yes in the terminal and clicking Enter.

    This will create or delete all resources you need in the specified folder. You can check the new resources and their settings or make sure the resources were deleted using the management console and this CLI command:

    yc iam access-key list --service-account-id <service_account_ID>
    

Use the delete REST API method for the AccessKey REST API resource or the AccessKeyService/Delete gRPC API call.

See alsoSee also

  • Static access keys compatible with the AWS API
  • Configuring tools to work with Object Storage
  • Assigning roles to a service account
  • Using a Yandex Lockbox secret to store a static access key

Was the article helpful?

Previous
Revoking a refresh token
Next
Managing API keys
Yandex project
© 2025 Yandex.Cloud LLC