Using a Yandex Lockbox secret to store a static access key using Terraform
To use a static access key saved in a Yandex Lockbox secret using Terraform:
- Prepare the environment.
- Create an infrastructure.
- Use the key from the Yandex Lockbox secret to work with the service.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Required paid resources
The infrastructure support costs include:
- Fee for storing one version of the Yandex Lockbox secret (see Yandex Lockbox pricing).
- Fee for data storage in Object Storage, data operations, and outgoing traffic (you will not be charged unless there is data in the bucket). See Object Storage pricing.
Prepare the environment
Install the AWS CLI.
You do not need to configure the utility at this step. The required parameters, such as IDs and access keys, will be described and used in commands and environment variables further on in this guide.
Create an infrastructure
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the documentation on the Terraform website or mirror website.
To create an infrastructure using Terraform:
-
Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, Step 1).
-
Prepare the infrastructure description file:
Ready-made configurationManually-
Clone the repository with configuration files.
git clone https://github.com/yandex-cloud-examples/yc-static-keys-in-lockbox -
Navigate to the repository directory. It should now contain the
static-key-in-lockbox-config.tffile with the new infrastructure configuration.
-
Create a folder for configuration files.
-
Create a configuration file named
static-key-in-lockbox-config.tfin the folder:static-key-in-lockbox-config.tf
# Declaring user-defined variables locals { zone = "<availability_zone>" folder_id = "<folder_ID>" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" version = ">= 0.47.0" } } } # Configuring a provider provider "yandex" { zone = local.zone } # Creating a service account and assigning roles resource "yandex_iam_service_account" "sa" { folder_id = local.folder_id name = "storage-bucket-sa" } resource "yandex_resourcemanager_folder_iam_member" "sa-admin" { folder_id = local.folder_id role = "storage.admin" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } resource "yandex_resourcemanager_folder_iam_member" "lockboxview" { folder_id = local.folder_id role = "lockbox.payloadViewer" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } # Creating a secret resource "yandex_lockbox_secret" "my_secret" { name = "static-key" folder_id = local.folder_id deletion_protection = true } # Creating a static access key resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.sa.id description = "static access key for object storage" output_to_lockbox { secret_id = yandex_lockbox_secret.my_secret.id entry_for_access_key = "key_id" entry_for_secret_key = "key" } } # Data source of the secret version data "yandex_lockbox_secret_version" "my_secret_version" { secret_id = yandex_lockbox_secret.my_secret.id version_id = yandex_iam_service_account_static_access_key.sa-static-key.output_to_lockbox_version_id depends_on = [ yandex_lockbox_secret.my_secret ] } # Output variables output "key_id" { value = data.yandex_lockbox_secret_version.my_secret_version.entries[1].text_value } output "key" { value = data.yandex_lockbox_secret_version.my_secret_version.entries[0].text_value }
For more information about the properties of Terraform resources, see the provider documentation:
-
-
In the
static-key-in-lockbox-config.tffile, set the following user-defined properties:zone_id: Availability zone.folder_id: Folder ID.
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validateIf the configuration is correct, the following message is returned:
Success! The configuration is valid. -
Run the command:
terraform planThe terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesin the terminal and press Enter.
-
Once the infrastructure is created, use the key from the secret to work with the service.
Use the key from the Yandex Lockbox secret to work with the service
The example below is intended to be run in MacOS and Linux. To run it in Windows, see how to work with Bash in Microsoft Windows.
Use the key from the Yandex Lockbox secret and create a bucket in Object Storage:
-
Save the key ID, secret key, and placement region to the AWS CLI environment variables:
AWS_ACCESS_KEY_ID=$(terraform output key_id) AWS_SECRET_ACCESS_KEY=$(terraform output key) AWS_DEFAULT_REGION="ru-central1"The AWS CLI will use the environment variables you created for authentication when performing operations with the service's resources.
-
Create a bucket in Object Storage by specifying a unique bucket name in the command:
AWS CLIaws --endpoint-url=https://storage.yandexcloud.net \ s3 mb s3://<bucket_name>Result:
make_bucket: my-first-bucketThis will create a new bucket in Object Storage. When creating a bucket, a static access key is used obtained from the Yandex Lockbox secret and saved in environment variables.
You can also include the key ID, secret key, and placement region values directly in each AWS CLI command:
AWS CLIAWS_ACCESS_KEY_ID=$(terraform output key_id) \ AWS_SECRET_ACCESS_KEY=$(terraform output key) \ AWS_DEFAULT_REGION="ru-central1" \ aws --endpoint-url=https://storage.yandexcloud.net \ s3 mb s3://<bucket_name>Result:
make_bucket: my-first-bucket
How to delete the resources you created
To stop paying for the resources you created:
-
Delete the bucket.
-
Open the
static-key-in-lockbox-config.tfconfiguration file and delete your infrastructure description. -
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validateIf the configuration is correct, the following message is returned:
Success! The configuration is valid. -
Run the command:
terraform planThe terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesin the terminal and press Enter.
-