Creating a service account
Create a service account to manage resources under a different account.
You must have the iam.serviceAccounts.admin role or higher for the folder to create a service account.
Note
A service account is created inside a folder. Once a service account has been created, you cannot change the folder.
You can assign roles to a service account for any resources in any cloud if these resources belong to the same organization as the service account. You can also assign roles to a service account for the organization.
Create a service account
-
Go to the management console.
-
On the left side of the screen, click the line with the name of the folder where you want to create a service account.
-
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Enter a name for the service account.
The name format requirements are as follows:
- It must be 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Make sure the service account name is unique within your cloud.
-
Click Create.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.
-
Check the description of the command for creating a service account:
yc iam service-account create --help -
Create a service account named
my-robot:yc iam service-account create --name my-robotThe name should match the following format:
- It must be 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, define the parameters of the resources you want to create:
resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" description = "<service_account_description>" folder_id = "<folder_ID>" }name: Service account name. This is a required parameter.description: Service account description. This is an optional parameter.folder_id: Folder ID. This is an optional parameter. By default, the value specified in the provider settings is used.
For more information about the
yandex_iam_service_accountresource parameters in Terraform, see the provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is specified correctly, the terminal will display information about the service account. If there are errors in the configuration, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the service account: type
yesin the terminal and press Enter.The service account will then be created. You can check the new service account using the management console or this CLI command:
yc iam service-account list
-
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
Examples
Add a description when creating a service account
Create a service account with the following name and description:
yc iam service-account create --name my-robot \
--description "this is my favorite service account"
resource "yandex_iam_service_account" "sa" {
name = "my-robot"
description = "this is my favorite service account"
}
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"folderId": "b1gvmob95yys********",
"name": "my-robot",
"description": "this is my favorite service account"
}' \
https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts