Getting started with service accounts
In IAM, you can create service accounts. These are auxiliary accounts that your programs can use to perform operations in Yandex Cloud. Service accounts are free of charge and enable flexible access management for your programs. For more information, see Service accounts.
This guide is intended for cloud owners and users with the administrator role for a cloud or folder. Users with the editor
role can also create service accounts, but they cannot assign roles, so they cannot allow a service account to perform operations in Yandex Cloud.
Checking for required roles is described in Getting started.
You will learn how to:
- Create service accounts and assign roles to them.
- Run operations in the CLI.
- Delete service accounts.
Getting started
-
Go to the management console
. If not signed up yet, navigate to the management console and follow the instructions. -
Make sure that you have the required roles:
-
In the management console, select the appropriate cloud from the list on the left, e.g.:
-
Go to the Access bindings tab.
-
Specify your account in the search bar.
-
Check that your account has the following roles:
- Organization owner (
organization-manager.organizations.owner
) or administrator (organization-manager.admin
) - Cloud owner (
resource-manager.clouds.owner
) or administrator (admin
)
- Organization owner (
-
-
On the Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account yet, create one.
Create a service account
To create a service account and assign roles to it:
-
Go to the management console
. -
On the left side of the screen, click the line with the name of the folder where you want to create a service account.
-
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Enter a name for the service account.
The name format requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
Make sure the service account name is unique within your cloud.
-
To assign the service account a role for the current folder, click Add role and select a role, e.g.,
editor
.To assign a role for another resource, use the CLI or API following this Assigning roles to a service account guide.
-
Click Create.
Note
Configure the CLI to work under a service account
You can perform operations under a service account via the Yandex Cloud CLI, API, and other tools that support service account based authentication.
Configure the CLI to work on behalf of a service account:
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Get a list of available service accounts in the default folder:
yc iam service-accounts list
Result:
+----------------------+----------+--------+ | ID | NAME | LABELS | +----------------------+----------+--------+ | ajeb9l33h6mu******** | my-robot | | +----------------------+----------+--------+
-
Create an authorized key for your service account and save it to the file:
yc iam key create --output <key_file_path> --service-account-name <service_account_name>
Where:
--output
: Path to the file for saving the authorized key in JSON format. This is a required parameter.--service-account-name
: Service account name.
For example:
yc iam key create --output key.json --service-account-name my-service-account
Result:
id: aje4lue48687******** service_account_id: ajeb9l33h6m******** created_at: "2024-08-01T11:58:52.313177213Z" key_algorithm: RSA_2048
For more information about the
yc iam key create
command, see the CLI reference. -
Create a profile to execute operations on behalf of the service account:
yc config profile create <profile_name>
-
Specify the authorized key of the service account in the profile configuration:
yc config set service-account-key <key_file_path>
Now you can perform operations on behalf of a service account, such as viewing the list of folders available to this account:
yc resource-manager folder list
Delete the service account
If you no longer need the service account, delete it:
- In the management console
, navigate to the folder the service account belongs to. - In the list of services, select Identity and Access Management.
- In the left-hand panel, select
Service accounts. - In the row with the service account you need, click
and select Delete. - In the window that opens, click Delete.
What's next
- The step-by-step guides will help you perform specific tasks in Identity and Access Management.
- Read more about service accounts in the concepts section.
- See the best practices for using service accounts securely.