Contact UsGet started

Using a Yandex Lockbox secret to store a static access key via the CLI

Written by
Updated at February 12, 2025

To use a static access key saved in a Yandex Lockbox secret via the CLI:

  1. Prepare the environment.
  2. Save the static access key to a Yandex Lockbox secret.
  3. Use the key from the Yandex Lockbox secret to work with the service.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support costs include:

  • Fee for storing one version of the Yandex Lockbox secret (see Yandex Lockbox pricing).
  • Fee for data storage in Object Storage, data operations, and outgoing traffic (you will not be charged unless there is data in the bucket). See Object Storage pricing.

Prepare the environment

  1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

  2. Install the AWS CLI.

    You do not need to configure the utility at this step. The required parameters, such as IDs and access keys, will be described and used in commands and environment variables further on in this guide.

Save the static access key to the Yandex Lockbox secret

  1. Create a service account, e.g., storage-bucket-sa, you will use to perform operations in Object Storage:

    yc iam service-account create storage-bucket-sa

    Result:

    done (1s)
id: ajeplujf759j********
folder_id: b1gt6g8ht345********
created_at: "2024-05-07T19:18:37.244159066Z"
name: storage-bucket-sa

    Save the ID (id) of the service account you created: you will need it to assign roles to the service account.

    For more information about the yc iam service-account create command, see the CLI reference.

  2. Assign the storage.editor role for a folder to the service account you created.

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role storage.editor \
  --subject serviceAccount:<service_account_ID>

    Where:

    • <folder_name_or_ID>: Name or ID of the folder where the service account was created.
    • <service_account_ID>: Service account ID you saved in the previous step.

    Result:

    done (2s)
effective_deltas:
  - action: ADD
    access_binding:
      role_id: storage.editor
      subject:
        id: ajeplujf759j********
        type: serviceAccount

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

  3. Similarly, assign the lockbox.payloadViewer role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role lockbox.payloadViewer \
  --subject serviceAccount:<service_account_ID>

  4. Create a static access key for the service account. To avoid displaying its value on the screen, the key will be saved to the STATIC_KEY variable:

    STATIC_KEY=$(yc iam access-key create --service-account-name storage-bucket-sa)

    For more information about the yc iam access-key create command, see the CLI reference.

  5. Save the key ID and secret key values to the separate KEY_ID and KEY_VALUE variables:

    KEY_ID=$(echo | awk '{if (match($0, "key_id: ")) {print substr($0, RSTART + 8, 25)}}' <<< "$STATIC_KEY") \
  && KEY_VALUE=$(echo | awk '{if (match($0, "secret: ")) {print substr($0, RSTART + 8, 40)}}' <<< "$STATIC_KEY")

  6. Create a Yandex Lockbox secret named static-key containing the new static access key:

    yc lockbox secret create \
  --name static-key \
  --payload "[{'key': $KEY_ID, 'text_value': $KEY_VALUE}]" \
  --cloud-id <cloud_ID> \
  --folder-id <folder_ID> \
  --deletion-protection

    Where:

    • --cloud-id: ID of the cloud the service account was created in.
    • --folder-id: ID of the folder the service account was created in.
    • --deletion-protection: Secret deletion protection. You cannot delete a secret with this option enabled. This is an optional parameter.

    Result:

    done (1s)
id: e6qk0c62b4ep********
folder_id: b1gt6g8ht345********
created_at: "2024-05-07T20:05:51.569Z"
name: static-key
status: ACTIVE
current_version:
  id: e6qrsj2hi8ug********
  secret_id: e6qk0c62b4ep********
  created_at: "2024-05-07T20:05:51.569Z"
  status: ACTIVE
  payload_entry_keys:
    - YCAJEO4w80Zf5DERM********
deletion_protection: true

    For more information about the yc lockbox secret create command, see the CLI reference.

The service account's static access key is now saved inside the Yandex Lockbox secret.

Use the key from the Yandex Lockbox secret to work with the service

The example below is intended to be run in MacOS and Linux. To run it in Windows, see how to work with Bash in Microsoft Windows.

  1. Get the static access key saved in the static-key secret. To avoid displaying its value on the screen, the key will be saved to the SECRET variable:

    SECRET=$(yc lockbox payload get static-key)

    For more information about the yc lockbox payload get command, see the CLI reference.

  2. Save the key ID, secret key, and placement region to the AWS CLI environment variables:

    export AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \
  && export AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \
  && export AWS_DEFAULT_REGION="ru-central1"

    The AWS CLI will use the environment variables you created for authentication when performing operations with the service's resources.

  3. Create a bucket in Object Storage by specifying a unique bucket name in the command:

    aws --endpoint-url=https://storage.yandexcloud.net \
  s3 mb s3://<bucket_name>

    Result:

    make_bucket: my-first-bucket

    This will create a new bucket in Object Storage. When creating a bucket, a static access key is used obtained from the Yandex Lockbox secret and saved in environment variables.

    You can also include the key ID, secret key, and placement region values directly in each AWS CLI command:

    AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \
  AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \
  AWS_DEFAULT_REGION="ru-central1" \
  aws --endpoint-url=https://storage.yandexcloud.net \
  s3 mb s3://<bucket_name>

    Result:

    make_bucket: my-first-bucket

How to delete the resources you created

To stop using the resources you created:

  1. Delete the secret.
  2. Delete the bucket.

See also

Previous
Overview
Next
Terraform