Integration with Yandex Cloud services
You can use Yandex Lockbox secrets in the following Yandex Cloud services:
- Yandex Cloud Functions.
- Yandex Connection Manager.
- Yandex Managed Service for Kubernetes.
- Yandex Serverless Containers.
Yandex Cloud Functions
If a Cloud Functions function requires sensitive data to operate, e.g., database passwords, static access keys, or an OAuth token, use Yandex Lockbox secrets to transfer such data to the function. This will prevent unauthorized third-party access to sensitive data.
For a Cloud Functions function to access the data stored in a Yandex Lockbox secret, assign the lockbox.payloadViewer
role for the relevant secret to the service account you will use to invoke the function.
Yandex Connection Manager
Connection Manager connections and Yandex Lockbox secrets are created automatically when you create a new managed database cluster in Yandex Cloud, if support for Connection Manager is configured at cloud level.
You cannot edit or delete any secret created automatically together with a new cluster: they are updated automatically when editing user settings in a managed database cluster. The names of such secrets match the IDs of the respective connections.
Yandex Managed Service for Kubernetes
By default, Kubernetes stores secrets in an open format. If your Yandex Managed Service for Kubernetes cluster uses secrets, set up syncing cluster secrets with Yandex Lockbox secrets using External Secrets Operator
For External Secrets Operator to access the data stored in a Yandex Lockbox secret, assign the lockbox.payloadViewer
role for the relevant secret to the service account created while installing External Secrets Operator.
Yandex Serverless Containers
To prevent unauthorized access to API keys, tokens, database passwords, and other sensitive data used by Serverless Containers containers, store such data in Yandex Lockbox secrets.
For a Serverless Containers container to access the data stored in a Yandex Lockbox secret, assign the lockbox.payloadViewer
role for the relevant secret to the service account you will use to run the container.