Authenticating as a service account
Learn how to authenticate in the CLI:
Service accounts are different from user accounts or federated user accounts. You cannot use service accounts to log in to the management console, but you can use them to manage resources in Yandex Cloud.
Getting started
- Authenticate in the CLI as a user or a federated user.
- If you don't have a service account yet, create one and configure access rights for it.
Authenticate as a service account
To authenticate as a service account:
-
Get a list of service accounts that exist in your cloud:
yc iam service-account --folder-id <folder_ID> listResult:
+----------------------+------------+ | ID | NAME | +----------------------+------------+ | aje3932acd0c5ur7dagp | default-sa | +----------------------+------------+ -
Create an authorized key for the service account and save it to the
key.jsonfile:yc iam key create --service-account-name default-sa --output key.json --folder-id <folder_ID>Result:
id: aje83v701b1un777sh40 service_account_id: aje3932acd0c5ur7dagp created_at: "2019-08-26T12:31:25Z" key_algorithm: RSA_2048 -
Add the service account authorized key to the CLI profile.
-
Create a new CLI profile:
yc config profile create sa-profile -
Add an authorized key:
yc config set service-account-key key.json
-
-
Make sure that the service account parameters are added correctly:
yc config listResult:
service-account-key: id: aje83v701b1un777sh40 service_account_id: aje3932acd0c5ur7dagp created_at: "2019-08-26T12:31:25Z" key_algorithm: RSA_2048 public_key: | -----BEGIN PUBLIC KEY----- MIIBIjANBg... -----END PUBLIC KEY----- private_key: | -----BEGIN PRIVATE KEY----- MIIEvwIBAD... -----END PRIVATE KEY----- -
Configure your profile to run commands.
Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.
-
Specify the cloud in your profile:
yc config set cloud-id <cloud_ID>You can also use the
--cloud-idparameter to run commands. -
Specify a folder in the profile:
yc config set folder-id <folder_ID>You can also use the
--folder-idparameter to run commands.
All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.
-
Authenticate as a service account from inside a VM
The authentication process from inside a VM is simplified for a service account:
-
Link the service account to a VM.
-
Authenticate from inside a VM:
-
Connect to a virtual machine over SSH.
-
Create a new profile:
yc config profile create my-robot-profile
-
-
Configure your profile to run commands.
Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.
-
Specify the cloud in your profile:
yc config set cloud-id <cloud_ID>You can also use the
--cloud-idparameter to run commands. -
Specify a folder in the profile:
yc config set folder-id <folder_ID>You can also use the
--folder-idparameter to run commands.
All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.
-
Read more about working with Yandex Cloud from a VM in Working with Yandex Cloud from inside a VM.