Creating authorized keys
To create an authorized key:
- In the management console
, select the folder the service account belongs to. - In the list of services, select Identity and Access Management.
- In the left-hand panel, select
Service accounts. - In the list that opens, select the service account to create an authorized key for.
- Click Create new key in the top panel.
- Select Create authorized key.
- Select the encryption algorithm.
- Specify the key description and click Create.
- In the window that opens:
- Copy your public and private keys and save them securely. The private key is not saved in Yandex Cloud, and the public key is not shown in the management console.
- Click Close.
You can also download your keys in a single JSON file. To do this, click Download file with keys.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
Create an authorized key for the my-robot
service account:
yc iam key create --service-account-name my-robot -o my-robot-key.json
If successful, a private key (privateKey
) and a public key ID (id
) will be written to the my-robot-key.json
file.
Key file example:
{
"id": "lfkoe35hsk58********",
"service_account_id": "ajepg0mjt06s********",
"created_at": "2019-03-20T10:04:56Z",
"key_algorithm": "RSA_2048",
"public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
service_account_id
: Service account ID. This is a required parameter.description
: Key description. This is an optional parameter.key_algorithm
: Key generation algorithm. This is an optional parameter. The default algorithm isRSA_2048
. For more information about the acceptable parameter values, see the API documentation.pgp_key
: Additional PGP key for encrypting a private key. This is an optional parameter. Specify the public part of the key in Base64 encoding or inkeybase:keybaseusername
format.
Here is an example of the configuration file structure:
resource "yandex_iam_service_account_key" "sa-auth-key" { service_account_id = "<service_account_ID>" description = "<key_description>" key_algorithm = "<key_generation_algorithm>" pgp_key = "<PGP_key>" }
For more information about the resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console
and this CLI command:yc iam key list --service-account-id <service_account_ID>
-
To create an access key, use the create REST API method for the Key resource or the KeyService/Create gRPC API call.
Example of request using cURL for the create
REST API method:
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{"serviceAccountId": "<service_account_ID>"}' \
https://iam.api.cloud.yandex.net/iam/v1/keys
Where:
<IAM_token>
: IAM token of the user with permissions to create keys for the specified service account.<service_account_id>
:ID
of the service account for which the keys are created.
If successful, the server response will contain the private key (privateKey
) and public key ID (id
). Save this data. You will not be able to get the key value again.
Sample server response:
{
"key": {
"createdAt": "2018-10-30T15:55:00+00:00",
"description": "",
"id": "lfkoe35hsk58********",
"keyAlgorithm": "RSA_2048",
"publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
"serviceAccountId": "ajepg0mjt06s********"
},
"privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}