Authenticating as a service account
Learn how to authenticate in the CLI:
Service accounts are different from user accounts or federated user accounts. You cannot use service accounts to log in to the management console
Getting started
- Authenticate in the CLI as a user or a federated user.
- If you don't have a service account yet, create one and configure access rights for it.
Authenticate as a service account
To authenticate as a service account:
-
Get a list of service accounts that exist in your cloud:
yc iam service-account --folder-id <folder_ID> list
Result:
+----------------------+------------+ | ID | NAME | +----------------------+------------+ | aje3932acd0c5ur7dagp | default-sa | +----------------------+------------+
-
Create an authorized key for the service account and save it to the
key.json
file:yc iam key create --service-account-name default-sa --output key.json --folder-id <folder_ID>
Result:
id: aje83v701b1un777sh40 service_account_id: aje3932acd0c5ur7dagp created_at: "2019-08-26T12:31:25Z" key_algorithm: RSA_2048
-
Add the service account authorized key to the CLI profile.
-
Create a new CLI profile:
yc config profile create sa-profile
-
Add an authorized key:
yc config set service-account-key key.json
-
-
Make sure that the service account parameters are added correctly:
yc config list
Result:
service-account-key: id: aje83v701b1un777sh40 service_account_id: aje3932acd0c5ur7dagp created_at: "2019-08-26T12:31:25Z" key_algorithm: RSA_2048 public_key: | -----BEGIN PUBLIC KEY----- MIIBIjANBg... -----END PUBLIC KEY----- private_key: | -----BEGIN PRIVATE KEY----- MIIEvwIBAD... -----END PRIVATE KEY-----
-
Configure your profile to run commands.
Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.
-
Specify the cloud in your profile:
yc config set cloud-id <cloud_ID>
You can also use the
--cloud-id
parameter to run commands. -
Specify a folder in the profile:
yc config set folder-id <folder_ID>
You can also use the
--folder-id
parameter to run commands.
All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.
-
Authenticate as a service account from inside a VM
The authentication process from inside a VM is simplified for a service account:
-
Link the service account to a VM.
-
Authenticate from inside a VM:
-
Connect to a virtual machine over SSH.
-
Create a new profile:
yc config profile create my-robot-profile
-
-
Configure your profile to run commands.
Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.
-
Specify the cloud in your profile:
yc config set cloud-id <cloud_ID>
You can also use the
--cloud-id
parameter to run commands. -
Specify a folder in the profile:
yc config set folder-id <folder_ID>
You can also use the
--folder-id
parameter to run commands.
All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.
-
Read more about working with Yandex Cloud from a VM in Working with Yandex Cloud from inside a VM.