Integration with Yandex Cloud services

You can use Yandex Lockbox secrets in the following Yandex Cloud services:

• Yandex Cloud Functions.
• Yandex Connection Manager.
• Yandex Managed Service for Kubernetes.
• Yandex Serverless Containers.

Yandex Cloud FunctionsYandex Cloud Functions

If a Cloud Functions function requires sensitive data to operate, e.g., database passwords, static access keys, or an OAuth token, use Yandex Lockbox secrets to transfer such data to the function. This will prevent unauthorized third-party access to sensitive data.

For a Cloud Functions function to access the data stored in a Yandex Lockbox secret, assign the lockbox.payloadViewer role for the relevant secret to the service account you will use to invoke the function.

Yandex Connection ManagerYandex Connection Manager

Connection Manager connections and Yandex Lockbox secrets are created automatically when you create a new managed database cluster in Yandex Cloud, if support for Connection Manager is configured at cloud level.

You cannot edit or delete any secret created automatically together with a new cluster: they are updated automatically when editing user settings in a managed database cluster. The names of such secrets match the IDs of the respective connections.

Yandex Managed Service for KubernetesYandex Managed Service for Kubernetes

By default, Kubernetes stores secrets in an open format. If your Yandex Managed Service for Kubernetes cluster uses secrets, set up syncing cluster secrets with Yandex Lockbox secrets using External Secrets Operator. This will prevent unauthorized third-party access to sensitive data.

For External Secrets Operator to access the data stored in a Yandex Lockbox secret, assign the lockbox.payloadViewer role for the relevant secret to the service account created while installing External Secrets Operator.

Yandex Serverless ContainersYandex Serverless Containers

To prevent unauthorized access to API keys, tokens, database passwords, and other sensitive data used by Serverless Containers containers, store such data in Yandex Lockbox secrets.

For a Serverless Containers container to access the data stored in a Yandex Lockbox secret, assign the lockbox.payloadViewer role for the relevant secret to the service account you will use to run the container.

See alsoSee also

• Transmitting Yandex Lockbox secrets to a function
• Creating a Connection Manager connection
• Syncing with Yandex Lockbox secrets in Managed Service for Kubernetes
• Transmitting Yandex Lockbox secrets to a container
• Secure storage of GitLab CI passwords as Yandex Lockbox secrets

Use casesUse cases

• Syncing with Yandex Managed Service for Kubernetes secrets
• Building a CI/CD pipeline using serverless products
• Using a Yandex Lockbox secret to store a static access key via the CLI
• Creating an interactive serverless application using WebSocket
• Automatically copying objects from one Yandex Object Storage bucket to another
• Deploying a fault-tolerant architecture with preemptible VMs
• Secure password transmission to an initialization script
• Loading data from Yandex Direct to a Yandex Managed Service for ClickHouse® data mart using Yandex Cloud Functions, Yandex Object Storage, and Yandex Data Transfer