Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Command line interface
  • Getting started with the CLI
    • All guides
    • CLI installation
    • CLI update
      • Authenticating as a user
      • Authenticating as a service account
      • Authenticating as a federated user
  • CLI releases
  • Troubleshooting

In this article:

  • Getting started
  • Authenticate as a service account
  • Authenticate as a service account from inside a VM
  1. Step-by-step guides
  2. Authentication
  3. Authenticating as a service account

Authenticating as a service account

Written by
Yandex Cloud
Improved by
Updated at April 1, 2025
  • Getting started
  • Authenticate as a service account
  • Authenticate as a service account from inside a VM

Learn how to authenticate in the CLI:

  • As a service account.
  • As a service account from inside a VM.

Service accounts are different from user accounts or federated user accounts. You cannot use service accounts to log in to the management console, but you can use them to manage resources in Yandex Cloud.

Getting startedGetting started

  1. Authenticate in the CLI as a user or a federated user.
  2. If you don't have a service account yet, create one and configure access rights for it.

Authenticate as a service accountAuthenticate as a service account

To authenticate as a service account:

  1. Get a list of service accounts that exist in your cloud:

    yc iam service-account --folder-id <folder_ID> list
    

    Result:

    +----------------------+------------+
    |          ID          |    NAME    |
    +----------------------+------------+
    | aje3932acd0c5ur7dagp | default-sa |
    +----------------------+------------+
    
  2. Create an authorized key for the service account and save it to a file named key.json:

    yc iam key create --service-account-name default-sa --output key.json --folder-id <folder_ID>
    

    Result:

    id: aje83v701b1un777sh40
    service_account_id: aje3932acd0c5ur7dagp
    created_at: "2019-08-26T12:31:25Z"
    key_algorithm: RSA_2048
    
  3. Add the service account authorized key to the CLI profile.

    1. Create a new CLI profile:

      yc config profile create sa-profile
      
    2. Add an authorized key:

      yc config set service-account-key key.json
      
  4. Make sure that the service account parameters are added correctly:

    yc config list
    

    Result:

    service-account-key:
      id: aje83v701b1un777sh40
      service_account_id: aje3932acd0c5ur7dagp
      created_at: "2019-08-26T12:31:25Z"
      key_algorithm: RSA_2048
      public_key: |
        -----BEGIN PUBLIC KEY-----
        MIIBIjANBg...
        -----END PUBLIC KEY-----
      private_key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvwIBAD...
        -----END PRIVATE KEY-----
    
  5. Configure your profile to run commands.

    Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.

    1. Specify the cloud in your profile:

      yc config set cloud-id <cloud_ID>
      

      You can also use the --cloud-id parameter to run commands.

    2. Specify a folder in the profile:

      yc config set folder-id <folder_ID>
      

      You can also use the --folder-id parameter to run commands.

    All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.

Authenticate as a service account from inside a VMAuthenticate as a service account from inside a VM

The authentication process from inside a VM is simplified for a service account:

  1. Link your service account to a VM.

  2. Authenticate from inside a VM:

    1. Connect to the VM over SSH.

    2. Create a new profile:

      yc config profile create my-robot-profile
      
  3. Configure your profile to run commands.

    Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.

    1. Specify the cloud in your profile:

      yc config set cloud-id <cloud_ID>
      

      You can also use the --cloud-id parameter to run commands.

    2. Specify a folder in the profile:

      yc config set folder-id <folder_ID>
      

      You can also use the --folder-id parameter to run commands.

    All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.

Read more about working with Yandex Cloud from a VM in Using Yandex Cloud from within a VM.

See alsoSee also

  • Managing a CLI configuration.
  • Creating a profile.
  • Activating a profile.
  • Managing profile parameters.
  • Using Yandex Cloud from within a VM.

Was the article helpful?

Previous
Authenticating as a user
Next
Authenticating as a federated user
© 2025 Direct Cursus Technology L.L.C.