Getting started with service accounts

In IAM, you can create service accounts. These are auxiliary accounts that your programs can use to perform operations in Yandex Cloud. Service accounts are free of charge and enable flexible access management for your programs. For more information, see Service accounts.

This guide is intended for cloud owners and users with the administrator role for a cloud or folder. Users with the editor role can also create service accounts, but they cannot assign roles, so they cannot allow a service account to perform operations in Yandex Cloud.

Checking for required roles is described in Getting started.

You will learn how to:

• Create service accounts and assign roles to them.
• Run operations in the CLI.
• Delete service accounts.

Getting startedGetting started

1. Go to the management console. If not signed up yet, navigate to the management console and follow the instructions.

2. Make sure that you have the required roles:

   1. In the management console, select the appropriate cloud from the list on the left, e.g.:

      

   2. Go to the Access bindings tab.

   3. Specify your account in the search bar.

   4. Check that your account has the following roles:

      • Organization owner (organization-manager.organizations.owner) or administrator (organization-manager.admin)
      • Cloud owner (resource-manager.clouds.owner) or administrator (admin)

3. On the Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account yet, create one.

Create a service accountCreate a service account

To create a service account and assign roles to it:

1. Go to the management console.

2. On the left side of the screen, click the line with the name of the folder where you want to create a service account.

3. In the list of services, select Identity and Access Management.

4. Click Create service account.

5. Enter a name for the service account.

   The name format requirements are as follows:

   • The name must be from 3 to 63 characters long.
   • It may contain lowercase Latin letters, numbers, and hyphens.
   • The first character must be a letter and the last character cannot be a hyphen.

   Make sure the service account name is unique within your cloud.

6. To assign the service account a role for the current folder, click Add role and select a role, e.g., editor.

   To assign a role for another resource, use the CLI or API following this Assigning roles to a service account guide.

7. Click Create.

Configure the CLI to work under a service accountConfigure the CLI to work under a service account

You can perform operations under a service account via the Yandex Cloud CLI, API, and other tools that support service account based authentication.

Configure the CLI to work on behalf of a service account:

1. If you do not have the Yandex Cloud command line interface yet, install and initialize it.

2. The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

3. Get a list of available service accounts in the default folder:

   yc iam service-accounts list
   

   Result:

   +----------------------+----------+--------+
   |          ID          |   NAME   | LABELS |
   +----------------------+----------+--------+
   | ajeb9l33h6mu******** | my-robot |        |
   +----------------------+----------+--------+
   

4. Create an authorized key for your service account and save it to the file:

   yc iam key create --output <key_file_path> --service-account-name <service_account_name>
   

   Where:

   • --output: Path to the file for saving the authorized key in JSON format. This is a required parameter.
   • --service-account-name: Service account name.

   For example:

   yc iam key create --output key.json --service-account-name my-service-account
   

   Result:

   id: aje4lue48687********
   service_account_id: ajeb9l33h6m********
   created_at: "2024-08-01T11:58:52.313177213Z"
   key_algorithm: RSA_2048
   

   For more information about the yc iam key create command, see the CLI reference.

5. Create a profile to execute operations on behalf of the service account:

   yc config profile create <profile_name>
   

6. Specify the authorized key of the service account in the profile configuration:

   yc config set service-account-key <key_file_path>
   

Now you can perform operations on behalf of a service account, such as viewing the list of folders available to this account:

yc resource-manager folder list

Delete the service accountDelete the service account

If you no longer need the service account, delete it:

1. In the management console, navigate to the folder the service account belongs to.
2. In the list of services, select Identity and Access Management.
3. In the left-hand panel, select Service accounts.
4. In the row with the service account you need, click and select Delete.
5. In the window that opens, click Delete.

What's nextWhat's next

• The step-by-step guides will help you perform specific tasks in Identity and Access Management.
• Read more about service accounts in the concepts section.
• See the best practices for using service accounts securely.