Creating authorized keys

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

Create an authorized key for the my-robot service account:

yc iam key create --service-account-name my-robot -o my-robot-key.json

If successful, a private key (privateKey) and a public key ID (id) will be written to the my-robot-key.json file.

Key file example:

{
   "id": "lfkoe35hsk58********",
   "service_account_id": "ajepg0mjt06s********",
   "created_at": "2019-03-20T10:04:56Z",
   "key_algorithm": "RSA_2048",
   "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
   "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}

If you don't have Terraform, install it and configure the Yandex Cloud provider.

1. In the configuration file, describe the parameters of the resources you want to create:

   • service_account_id: Service account ID. This is a required parameter.
   • description: Key description. This is an optional parameter.
   • key_algorithm: Key generation algorithm. This is an optional parameter. The default algorithm is RSA_2048. For more information about the acceptable parameter values, see the API documentation.
   • pgp_key: Additional PGP key for encrypting a private key. This is an optional parameter. Specify the public part of the key in Base64 encoding or in keybase:keybaseusername format.

   Here is an example of the configuration file structure:

   resource "yandex_iam_service_account_key" "sa-auth-key" {
     service_account_id = "<service_account_ID>"
     description        = "<key_description>"
     key_algorithm      = "<key_generation_algorithm>"
     pgp_key            = "<PGP_key>"
   }
   

   For more information about the resources you can create with Terraform, see the provider documentation.

2. Make sure the configuration files are correct.

   1. In the command line, go to the folder where you created the configuration file.

   2. Run a check using this command:

      terraform plan
      

   If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

3. Deploy cloud resources.

   1. If the configuration does not contain any errors, run this command:

      terraform apply
      

   2. Confirm creating the resources: type yes in the terminal and press Enter.

   All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console and this CLI command:

   yc iam key list --service-account-id <service_account_ID>
   

To create an access key, use the create REST API method for the Key resource or the KeyService/Create gRPC API call.

Example of request using cURL for the create REST API method:

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{"serviceAccountId": "<service_account_ID>"}' \
  https://iam.api.cloud.yandex.net/iam/v1/keys

Where:

• <IAM_token>: IAM token of the user with permissions to create keys for the specified service account.
• <service_account_id>: ID of the service account for which the keys are created.

If successful, the server response will contain the private key (privateKey) and public key ID (id). Save this data. You will not be able to get the key value again.

Sample server response:

{
    "key": {
        "createdAt": "2018-10-30T15:55:00+00:00",
        "description": "",
        "id": "lfkoe35hsk58********",
        "keyAlgorithm": "RSA_2048",
        "publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
        "serviceAccountId": "ajepg0mjt06s********"
    },
    "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}