Using a Yandex Lockbox secret to store a static access key
If you are frequent user of services with an AWS-compatible API, such as Yandex Object Storage, Yandex Data Streams, or Yandex Message Queue, it is your responsibility to safely store your static access keys.
This guide describes the scenario where a Yandex Lockbox secret is used as the static access key storage. In this configuration, the access key value is neither stored locally on the user's computer, nor displayed on the screen.
When accessing a resource of an AWS-compatible service (Object Storage), the static access key and its ID will be extracted from the Yandex Lockbox secret into special environment variables, which will be used for request authentication.
This approach will ensure safe storage and use of your key when accessing the services.
To use the static access key saved in a Yandex Lockbox secret:
- Prepare the environment.
- Save the static access key to a Yandex Lockbox secret.
- Use the key from the Yandex Lockbox secret to work with the service.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
You will be charged for storing one version of the Yandex Lockbox secret (see Yandex Lockbox pricing).
You will not be charged for the Object Storage bucket unless you keep your data in it (see Object Storage pricing).
Prepare the environment
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter. -
Install
the AWS CLI.There is no need to configure the utility: all the required parameters will come with the command and environment variables.
Save the static access key to the Yandex Lockbox secret
-
Create a service account, e.g.,
storage-bucket-sa
, you will use to perform operations in Object Storage:yc iam service-account create storage-bucket-sa
Result:
done (1s) id: ajeplujf759j******** folder_id: b1gt6g8ht345******** created_at: "2024-05-07T19:18:37.244159066Z" name: storage-bucket-sa
Save the ID (
id
) of the service account you created: you will need it to assign roles to the service account.For more information about the
yc iam service-account create
command, see the CLI reference. -
Assign the
storage.editor
role for the folder to the service account:yc resource-manager folder add-access-binding <folder_name_or_ID> \ --role storage.editor \ --subject serviceAccount:<service_account_ID>
Where:
<folder_name_or_ID>
: Name or ID of the folder where the service account was created.<service_account_ID>
: ID of the previously saved service account.
Result:
done (2s) effective_deltas: - action: ADD access_binding: role_id: storage.editor subject: id: ajeplujf759j******** type: serviceAccount
For more information about the
yc resource-manager folder add-access-binding
command, see the CLI reference. -
Similarly, assign the
lockbox.payloadViewer
role for the folder to the service account:yc resource-manager folder add-access-binding <folder_name_or_ID> \ --role lockbox.payloadViewer \ --subject serviceAccount:<service_account_ID>
-
Create a static access key for the service account. For the key value not to be shown on the screen, it will be saved to the
STATIC_KEY
variable:STATIC_KEY=$(yc iam access-key create --service-account-name storage-bucket-sa)
For more information about the
yc iam access-key create
command, see the CLI reference. -
Save the key ID and secret key values to the separate
KEY_ID
andKEY_VALUE
variables:KEY_ID=$(echo | awk '{if (match($0, "key_id: ")) {print substr($0, RSTART + 8, 25)}}' <<< "$STATIC_KEY") \ && KEY_VALUE=$(echo | awk '{if (match($0, "secret: ")) {print substr($0, RSTART + 8, 40)}}' <<< "$STATIC_KEY")
-
Create a Yandex Lockbox secret named
static-key
containing the new static access key:yc lockbox secret create \ --name static-key \ --payload "[{'key': $KEY_ID, 'text_value': $KEY_VALUE}]" \ --cloud-id <cloud_ID> \ --folder-id <folder_ID> \ --deletion-protection
Where:
--cloud-id
: ID of the cloud the service account was created in.--folder-id
: ID of the folder the service account was created in.--deletion-protection
: Secret deletion protection. You cannot delete a secret with this option enabled. This is an optional parameter.
Result:
done (1s) id: e6qk0c62b4ep******** folder_id: b1gt6g8ht345******** created_at: "2024-05-07T20:05:51.569Z" name: static-key status: ACTIVE current_version: id: e6qrsj2hi8ug******** secret_id: e6qk0c62b4ep******** created_at: "2024-05-07T20:05:51.569Z" status: ACTIVE payload_entry_keys: - YCAJEO4w80Zf5DERM******** deletion_protection: true
For more information about the
yc lockbox secret create
command, see the CLI reference.
The service account's static access key is now saved inside the Yandex Lockbox secret.
Use the key from the Yandex Lockbox secret to work with the service
-
Get the static access key saved in the
static-key
secret. For the key value not to be shown on the screen, it will be saved in theSECRET
variable:Yandex Cloud CLISECRET=$(yc lockbox payload get static-key)
For more information about the
yc lockbox payload get
command, see the CLI reference. -
Save the key ID, secret key, and placement region to the AWS CLI environment variables:
export AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \ && export AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \ && export AWS_DEFAULT_REGION="ru-central1"
The AWS CLI will use the environment variables you created for authentication when performing operations with the service's resources.
-
Create a bucket in Object Storage by specifying a unique bucket name in the command:
AWS CLIaws --endpoint-url=https://storage.yandexcloud.net \ s3 mb s3://<bucket_name>
Result:
make_bucket: my-first-bucket
A new bucket has been created in Yandex Object Storage. When performing this operation, authentication was performed using the static access key obtained from the Yandex Lockbox secret and saved to the environment variables.
You can also include the key ID, secret key, and placement region values directly in every AWS CLI command instead of creating environment variables:
AWS CLIAWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \ AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \ AWS_DEFAULT_REGION="ru-central1" \ aws --endpoint-url=https://storage.yandexcloud.net \ s3 mb s3://<bucket_name>
Result:
make_bucket: my-first-bucket
How to delete the resources you created
To stop using the resources you created: