Contact UsGet started

Using a Yandex Lockbox secret to store a static access key

Written by
Updated at July 5, 2024

If you are frequent user of services with an AWS-compatible API, such as Yandex Object Storage, Yandex Data Streams, or Yandex Message Queue, it is your responsibility to safely store your static access keys.

This guide describes the scenario where a Yandex Lockbox secret is used as the static access key storage. In this configuration, the access key value is neither stored locally on the user's computer, nor displayed on the screen.

When accessing a resource of an AWS-compatible service (Object Storage), the static access key and its ID will be extracted from the Yandex Lockbox secret into special environment variables, which will be used for request authentication.

This approach will ensure safe storage and use of your key when accessing the services.

To use the static access key saved in a Yandex Lockbox secret:

  1. Prepare the environment.
  2. Save the static access key to a Yandex Lockbox secret.
  3. Use the key from the Yandex Lockbox secret to work with the service.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

You will be charged for storing one version of the Yandex Lockbox secret (see Yandex Lockbox pricing).

You will not be charged for the Object Storage bucket unless you keep your data in it (see Object Storage pricing).

Prepare the environment

  1. If you do not have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  2. Install the AWS CLI.

    There is no need to configure the utility: all the required parameters will come with the command and environment variables.

Save the static access key to the Yandex Lockbox secret

  1. Create a service account, e.g., storage-bucket-sa, you will use to perform operations in Object Storage:

    yc iam service-account create storage-bucket-sa

    Result:

    done (1s)
id: ajeplujf759j********
folder_id: b1gt6g8ht345********
created_at: "2024-05-07T19:18:37.244159066Z"
name: storage-bucket-sa

    Save the ID (id) of the service account you created: you will need it to assign roles to the service account.

    For more information about the yc iam service-account create command, see the CLI reference.

  2. Assign the storage.editor role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role storage.editor \
  --subject serviceAccount:<service_account_ID>

    Where:

    • <folder_name_or_ID>: Name or ID of the folder where the service account was created.
    • <service_account_ID>: ID of the previously saved service account.

    Result:

    done (2s)
effective_deltas:
  - action: ADD
    access_binding:
      role_id: storage.editor
      subject:
        id: ajeplujf759j********
        type: serviceAccount

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

  3. Similarly, assign the lockbox.payloadViewer role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role lockbox.payloadViewer \
  --subject serviceAccount:<service_account_ID>

  4. Create a static access key for the service account. For the key value not to be shown on the screen, it will be saved to the STATIC_KEY variable:

    STATIC_KEY=$(yc iam access-key create --service-account-name storage-bucket-sa)

    For more information about the yc iam access-key create command, see the CLI reference.

  5. Save the key ID and secret key values to the separate KEY_ID and KEY_VALUE variables:

    KEY_ID=$(echo | awk '{if (match($0, "key_id: ")) {print substr($0, RSTART + 8, 25)}}' <<< "$STATIC_KEY") \
  && KEY_VALUE=$(echo | awk '{if (match($0, "secret: ")) {print substr($0, RSTART + 8, 40)}}' <<< "$STATIC_KEY")

  6. Create a Yandex Lockbox secret named static-key containing the new static access key:

    yc lockbox secret create \
  --name static-key \
  --payload "[{'key': $KEY_ID, 'text_value': $KEY_VALUE}]" \
  --cloud-id <cloud_ID> \
  --folder-id <folder_ID> \
  --deletion-protection

    Where:

    • --cloud-id: ID of the cloud the service account was created in.
    • --folder-id: ID of the folder the service account was created in.
    • --deletion-protection: Secret deletion protection. You cannot delete a secret with this option enabled. This is an optional parameter.

    Result:

    done (1s)
id: e6qk0c62b4ep********
folder_id: b1gt6g8ht345********
created_at: "2024-05-07T20:05:51.569Z"
name: static-key
status: ACTIVE
current_version:
  id: e6qrsj2hi8ug********
  secret_id: e6qk0c62b4ep********
  created_at: "2024-05-07T20:05:51.569Z"
  status: ACTIVE
  payload_entry_keys:
    - YCAJEO4w80Zf5DERM********
deletion_protection: true

    For more information about the yc lockbox secret create command, see the CLI reference.

The service account's static access key is now saved inside the Yandex Lockbox secret.

Use the key from the Yandex Lockbox secret to work with the service

  1. Get the static access key saved in the static-key secret. For the key value not to be shown on the screen, it will be saved in the SECRET variable:

    SECRET=$(yc lockbox payload get static-key)

    For more information about the yc lockbox payload get command, see the CLI reference.

  2. Save the key ID, secret key, and placement region to the AWS CLI environment variables:

    export AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \
  && export AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \
  && export AWS_DEFAULT_REGION="ru-central1"

    The AWS CLI will use the environment variables you created for authentication when performing operations with the service's resources.

  3. Create a bucket in Object Storage by specifying a unique bucket name in the command:

    aws --endpoint-url=https://storage.yandexcloud.net \
  s3 mb s3://<bucket_name>

    Result:

    make_bucket: my-first-bucket

    A new bucket has been created in Yandex Object Storage. When performing this operation, authentication was performed using the static access key obtained from the Yandex Lockbox secret and saved to the environment variables.

    You can also include the key ID, secret key, and placement region values directly in every AWS CLI command instead of creating environment variables:

    AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \
  AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \
  AWS_DEFAULT_REGION="ru-central1" \
  aws --endpoint-url=https://storage.yandexcloud.net \
  s3 mb s3://<bucket_name>

    Result:

    make_bucket: my-first-bucket

How to delete the resources you created

To stop using the resources you created:

  1. Delete the secret.
  2. Delete the bucket.
Previous
Secure storage of GitLab CI passwords as Yandex Lockbox secrets
Next
Loading data from Yandex Direct to a Yandex Managed Service for ClickHouse® data mart using Yandex Cloud Functions, Yandex Object Storage, and Yandex Data Transfer