Getting authentication credentials
To authenticate in Yandex Cloud and manage YDB databases using Terraform, you can use a service account, a Yandex account, or a federated account. To authenticate and work in Terraform with YDB, you will also need the Yandex Cloud CLI. If you do not have it yet, follow this guide to install it.
You can create and set up a service account by following these steps:
-
In the management console, select the folder to create a service account in.
-
In the Service accounts tab, click
Create service account
. -
Enter a name for the service account.
- The name must be 3 to 63 characters long.
- The name may contain lowercase Latin letters, numbers, and hyphens.
- The first character of the name must be a letter, the last one cannot be a hyphen.
-
Assign the service account the roles required to manage YDB resources:
admin
andydb.admin
. -
Click Create.
Go to Service account and create an authorized key for Terraform authentication in Yandex Cloud:
-
Click
Create new key
and selectCreate authorized key
. -
Enter the Key description (optional) and click Create.
-
Click Download key file to download the key file locally.
Now to the final step in authentication setup: create a special profile for connecting to Yandex Cloud on the local machine using yc CLI.
Run the following commands:
- Create a
yc
profile to run operations under the service account. Specify the profile name:yc config profile create <profile_name>
. The terminal will display the following message:Profile '<profile_name>' created and activated.
- Configure the profile with the following commands:
yc config set service-account-key <uploaded_key> yc config set cloud-id <cloud_ID> yc config set folder-id <folder_ID>
Where:
service-account-key
: JSON file containing the authorized key of the service account.cloud-id
: Cloud ID.folder-id
: Folder ID.
Add the credentials to the environment variables:
export YC_TOKEN=$(yc iam create-token)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)
$Env:YC_TOKEN=$(yc iam create-token)
$Env:YC_CLOUD_ID=$(yc config get cloud-id)
$Env:YC_FOLDER_ID=$(yc config get folder-id)
Terraform will use the defined environment variables for authentication, so keep in mind that the IAM token
lifetime cannot exceed 12 hours. After the token expires, Terraform will be returning an authentication error. In that case, update the environment variable: re-run the YC_TOKEN=$(yc iam create-token)
command.
You can automate the process of getting a new token withcrontab
: enter crontab -e
, and then enter 0 * * * * export YC_TOKEN=$(yc iam create-token)
. Now, crontab
will independently update the token every hour within the current session. To update the token when opening a new session, run one of the following commands:
echo "export YC_TOKEN=$(yc iam create-token)" >> ~/.bashrc # Command for bash shell
echo "export YC_TOKEN=$(yc iam create-token)" >> ~/.zshrc # Command for zsh shell
This completes the authentication setup. You can install and configure Terraform.