Managing authorized keys
An authorized key is a key with an unlimited TTL, used to obtain a service account IAM token: the private part of the authorized key is used to generate a JSON Web Token
Authorized keys are created for service accounts. If you do not have a service account yet, create one and assign roles to it.
Creating an authorized key
To create a service account authorized key:
- In the management console
, select the folder the service account belongs to. - From the list of services, select Identity and Access Management.
- In the left-hand panel, select
Service accounts. - In the list that opens, select the service account to create an authorized key for.
- In the top panel, click
Create new key and select Create authorized key. - Select the encryption algorithm; if required, specify the key description and click Create. In the window that opens:
-
Copy and save both the public and private parts of the key in a secure location. The private part of the key is not stored in Yandex Cloud and you will not be able to get it again. You will not be able to view the public part of the key in the management console.
You can also download your keys in a single JSON file. To do this, click Download file with keys.
-
Click Close.
-
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameters.
-
View the description of the command for creating an authorized key:
yc iam key create --help
-
Select a service account, e.g.,
my-robot
:yc iam service-account list
Result:
+----------------------+------------------+-------------------------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-------------------------------+ | aje6o61dvog2******** | my-robot | | | aje9sda1ufvq******** | account_name | account_description | +----------------------+------------------+-------------------------------+
-
Create an authorized key for the
my-robot
service account:yc iam key create \ --service-account-name my-robot \ -o my-robot-key.json
If successful, the created authorized key will be saved to the
my-robot-key.json
file.Key file example:
{ "id": "lfkoe35hsk58********", "service_account_id": "ajepg0mjt06s********", "created_at": "2019-03-20T10:04:56Z", "key_algorithm": "RSA_2048", "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n", "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n" }
Copy both the public and private parts of the key (
public_key
andprivate_key
values) and save them in a secure location. The private part of the key is not stored in Yandex Cloud and you will not be able to get it again.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, define the parameters of the resources you want to create:
resource "yandex_iam_service_account_key" "sa-auth-key" { service_account_id = "<service_account_ID>" description = "<key_description>" key_algorithm = "<key_generation_algorithm>" pgp_key = "<PGP_key>" output_to_lockbox { secret_id = "<Lockbox_secret_ID>" entry_for_private_key = "<secret_key>" } }
Where:
service_account_id
: Service account ID. This is a required parameter.description
: Key description. This is an optional parameter.key_algorithm
: Key generation algorithm. This is an optional parameter. The default algorithm isRSA_2048
. For more information about the acceptable parameter values, see the API documentation.pgp_key
: Additional PGP key for encrypting a private key. This is an optional parameter. Specify the public part of the key in Base64 encoding or inkeybase:keybaseusername
format.output_to_lockbox
: Description of the Yandex Lockbox secret to save the secret key value in to prevent its possible leakage through theterraform.tfstate
file. This is an optional parameter. Nested parameters:secret_id
: ID of the Yandex Lockbox secret to save the private part of the authorized key value to. The secret must be custom.entry_for_secret_key
: Secret key to assign to the private part of the authorized key value you are saving.
To learn more about the resources you can create with Terraform, see the Terraform documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console
and this CLI command:yc iam key list --service-account-id <service_account_ID>
-
Use the create REST API method for the Key resource or the KeyService/Create gRPC API call.
Request example with cURL for the create
REST API method:
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{"serviceAccountId": "<service_account_ID>"}' \
https://iam.api.cloud.yandex.net/iam/v1/keys
Where:
<IAM_token>
: IAM token of the user with permissions to create keys for the specified service account.<service_account_id>
: ID of the service account the keys are created for.
If successful, the server response will include both the public (publicKey
) and private (privateKey
) parts of the authorized key. Save this data. You will not be able to get the private key value again.
Sample server response:
{
"key": {
"createdAt": "2018-10-30T15:55:00+00:00",
"description": "",
"id": "lfkoe35hsk58********",
"keyAlgorithm": "RSA_2048",
"publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
"serviceAccountId": "ajepg0mjt06s********"
},
"privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}
Deleting an authorized key
To delete a service account authorized key:
- In the management console
, select the folder the service account belongs to. - From the list of services, select Identity and Access Management.
- In the left-hand panel, select
Service accounts and select the required service account. - Under Authorized keys, click
in the row with the key to delete, and select Delete. - In the window that opens, confirm the deletion.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameters.
-
Get a list of authorized keys for a service account by entering its name:
yc iam key list \ --service-account-name <service_account_name>
Result:
+----------------------+-------------------------------------+-----------+---------------------+ | ID | SUBJECT | ALGORITHM | CREATED AT | +----------------------+-------------------------------------+-----------+---------------------+ | ajeave7oktut******** | serviceAccount:ajeedllrkjma******** | RSA_2048 | 2022-03-13 20:14:22 | | ajeb794igb80******** | serviceAccount:ajeedllrkjma******** | RSA_2048 | 2022-03-13 20:06:13 | +----------------------+-------------------------------------+-----------+---------------------+
-
Delete the authorized key by specifying its ID:
yc iam key delete <key_ID>
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and delete the section with the authorized key description.
Example authorized key description in the Terraform configuration:
resource "yandex_iam_service_account_key" "sa-auth-key" { service_account_id = "<service_account_ID>" description = "<key_description>" key_algorithm = "<key_generation_algorithm>" pgp_key = "<PGP_key>" output_to_lockbox { secret_id = "<Lockbox_secret_ID>" entry_for_private_key = "<secret_key>" } }
For more information about the resources you can create with Terraform, see the relevant provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating and deleting the resources by typing
yes
in the terminal and clicking Enter.
This will create or delete all resources you need in the specified folder. You can check the new resources and their settings or make sure the resources were deleted using the management console
and this CLI command:yc iam key list --service-account-id <service_account_ID>
-
Use the delete REST API method for the Key resource or the KeyService/Delete gRPC API call.