Contact UsGet started

Managing authorized keys

Written by
Updated at April 14, 2025

An authorized key is a key with an unlimited TTL, used to obtain a service account IAM token: the private part of the authorized key is used to generate a JSON Web Token (JWT), which is then exchanged for an IAM token.

Authorized keys are created for service accounts. If you do not have a service account yet, create one and assign roles to it.

Creating an authorized key

To create a service account authorized key:

  1. In the management console, select the folder the service account belongs to.
  2. From the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts.
  4. In the list that opens, select the service account to create an authorized key for.
  5. In the top panel, click Create new key and select Create authorized key.
  6. Select the encryption algorithm; if required, specify the key description and click Create. In the window that opens:

    1. Copy and save both the public and private parts of the key in a secure location. The private part of the key is not stored in Yandex Cloud and you will not be able to get it again. You will not be able to view the public part of the key in the management console.

      You can also download your keys in a single JSON file. To do this, click Download file with keys.

    2. Click Close.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameters.

  1. View the description of the command for creating an authorized key:

    yc iam key create --help

  2. Select a service account, e.g., my-robot:

    yc iam service-account list

    Result:

    +----------------------+------------------+-------------------------------+
|          ID          |       NAME       |          DESCRIPTION          |
+----------------------+------------------+-------------------------------+
| aje6o61dvog2******** | my-robot         |                               |
| aje9sda1ufvq******** | account_name     | account_description           |
+----------------------+------------------+-------------------------------+

  3. Create an authorized key for the my-robot service account:

    yc iam key create \
  --service-account-name my-robot \
  -o my-robot-key.json

    If successful, the created authorized key will be saved to the my-robot-key.json file.

    Key file example:

    {
   "id": "lfkoe35hsk58********",
   "service_account_id": "ajepg0mjt06s********",
   "created_at": "2019-03-20T10:04:56Z",
   "key_algorithm": "RSA_2048",
   "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
   "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}

    Copy both the public and private parts of the key (public_key and private_key values) and save them in a secure location. The private part of the key is not stored in Yandex Cloud and you will not be able to get it again.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. In the configuration file, define the parameters of the resources you want to create:

    resource "yandex_iam_service_account_key" "sa-auth-key" {
  service_account_id = "<service_account_ID>"
  description        = "<key_description>"
  key_algorithm      = "<key_generation_algorithm>"
  pgp_key            = "<PGP_key>"
  output_to_lockbox  {
    secret_id             = "<Lockbox_secret_ID>"
    entry_for_private_key = "<secret_key>"
  }
}

    Where:

    • service_account_id: Service account ID. This is a required parameter.
    • description: Key description. This is an optional parameter.
    • key_algorithm: Key generation algorithm. This is an optional parameter. The default algorithm is RSA_2048. For more information about the acceptable parameter values, see the API documentation.
    • pgp_key: Additional PGP key for encrypting a private key. This is an optional parameter. Specify the public part of the key in Base64 encoding or in keybase:keybaseusername format.
    • output_to_lockbox: Description of the Yandex Lockbox secret to save the secret key value in to prevent its possible leakage through the terraform.tfstate file. This is an optional parameter. Nested parameters:
      • secret_id: ID of the Yandex Lockbox secret to save the private part of the authorized key value to. The secret must be custom.
      • entry_for_secret_key: Secret key to assign to the private part of the authorized key value you are saving.

    To learn more about the resources you can create with Terraform, see the Terraform documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

    This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console and this CLI command:

    yc iam key list --service-account-id <service_account_ID>

Use the create REST API method for the Key resource or the KeyService/Create gRPC API call.

Request example with cURL for the create REST API method:

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{"serviceAccountId": "<service_account_ID>"}' \
  https://iam.api.cloud.yandex.net/iam/v1/keys

Where:

  • <IAM_token>: IAM token of the user with permissions to create keys for the specified service account.
  • <service_account_id>: ID of the service account the keys are created for.

If successful, the server response will include both the public (publicKey) and private (privateKey) parts of the authorized key. Save this data. You will not be able to get the private key value again.

Sample server response:

{
    "key": {
        "createdAt": "2018-10-30T15:55:00+00:00",
        "description": "",
        "id": "lfkoe35hsk58********",
        "keyAlgorithm": "RSA_2048",
        "publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
        "serviceAccountId": "ajepg0mjt06s********"
    },
    "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}

Deleting an authorized key

To delete a service account authorized key:

  1. In the management console, select the folder the service account belongs to.
  2. From the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts and select the required service account.
  4. Under Authorized keys, click in the row with the key to delete, and select Delete.
  5. In the window that opens, confirm the deletion.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameters.

  1. Get a list of authorized keys for a service account by entering its name:

    yc iam key list \
  --service-account-name <service_account_name>

    Result:

    +----------------------+-------------------------------------+-----------+---------------------+
|          ID          |               SUBJECT               | ALGORITHM |     CREATED AT      |
+----------------------+-------------------------------------+-----------+---------------------+
| ajeave7oktut******** | serviceAccount:ajeedllrkjma******** | RSA_2048  | 2022-03-13 20:14:22 |
| ajeb794igb80******** | serviceAccount:ajeedllrkjma******** | RSA_2048  | 2022-03-13 20:06:13 |
+----------------------+-------------------------------------+-----------+---------------------+

  2. Delete the authorized key by specifying its ID:

    yc iam key delete <key_ID>

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and delete the section with the authorized key description.

    Example authorized key description in the Terraform configuration:

    resource "yandex_iam_service_account_key" "sa-auth-key" {
  service_account_id = "<service_account_ID>"
  description        = "<key_description>"
  key_algorithm      = "<key_generation_algorithm>"
  pgp_key            = "<PGP_key>"
  output_to_lockbox  {
    secret_id             = "<Lockbox_secret_ID>"
    entry_for_private_key = "<secret_key>"
  }
}

    For more information about the resources you can create with Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating and deleting the resources by typing yes in the terminal and clicking Enter.

    This will create or delete all resources you need in the specified folder. You can check the new resources and their settings or make sure the resources were deleted using the management console and this CLI command:

    yc iam key list --service-account-id <service_account_ID>

Use the delete REST API method for the Key resource or the KeyService/Delete gRPC API call.

See also

Previous
Managing API keys
Next
Creating a temporary access key using Security Token Service