Using a Yandex Lockbox secret to store a static access key with Terraform
To use a static access key saved in a Yandex Lockbox secret using Terraform:
- Set up your environment.
- Create your infrastructure.
- Use the key from the Yandex Lockbox secret for your operations with the service.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or create a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.
Learn more about clouds and folders here.
Required paid resources
The infrastructure support costs include:
- Fee for storing one version of the Yandex Lockbox secret (see Yandex Lockbox pricing).
- Fee for data storage in Object Storage, data operations, and outgoing traffic (you will not be charged unless there is data in the bucket). See Object Storage pricing.
Set up your environment
Install the AWS CLI.
You do not need to configure the utility at this step. The required parameters, such as IDs and access keys, will be described and used in commands and environment variables further on in this guide.
Create your infrastructure
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.
To create an infrastructure using Terraform:
-
Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure your provider, Step 1).
-
Set up your infrastructure description file:
Ready-made configurationManually-
Clone the repository with configuration files.
git clone https://github.com/yandex-cloud-examples/yc-static-keys-in-lockbox -
Navigate to the repository directory. It should now contain the
static-key-in-lockbox-config.tffile with the new infrastructure configuration.
-
Create a folder for configuration files.
-
Create a configuration file named
static-key-in-lockbox-config.tfin the folder:static-key-in-lockbox-config.tf
# Declaring user-defined variables locals { zone = "<availability_zone>" folder_id = "<folder_ID>" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" version = ">= 0.47.0" } } } # Configuring a provider provider "yandex" { zone = local.zone } # Creating a service account and assigning roles resource "yandex_iam_service_account" "sa" { folder_id = local.folder_id name = "storage-bucket-sa" } resource "yandex_resourcemanager_folder_iam_member" "sa-admin" { folder_id = local.folder_id role = "storage.admin" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } resource "yandex_resourcemanager_folder_iam_member" "lockboxview" { folder_id = local.folder_id role = "lockbox.payloadViewer" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } # Creating a secret resource "yandex_lockbox_secret" "my_secret" { name = "static-key" folder_id = local.folder_id deletion_protection = true } # Creating a static access key resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.sa.id description = "static access key for object storage" output_to_lockbox { secret_id = yandex_lockbox_secret.my_secret.id entry_for_access_key = "key_id" entry_for_secret_key = "key" } } # Data source of the secret version data "yandex_lockbox_secret_version" "my_secret_version" { secret_id = yandex_lockbox_secret.my_secret.id version_id = yandex_iam_service_account_static_access_key.sa-static-key.output_to_lockbox_version_id depends_on = [ yandex_lockbox_secret.my_secret ] } # Output variables output "key_id" { value = data.yandex_lockbox_secret_version.my_secret_version.entries[1].text_value } output "key" { value = data.yandex_lockbox_secret_version.my_secret_version.entries[0].text_value }
Learn more about the properties of Terraform resources in the relevant Terraform guides:
-
-
In the
static-key-in-lockbox-config.tffile, set the following user-defined properties:zone_id: Availability zone.folder_id: Folder ID.
-
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
-
Once the infrastructure is created, use the key from the secret for your operations with the service.
Use the key from the Yandex Lockbox secret for your operations with the service
The example below is intended to be run in MacOS and Linux. To run it in Windows, see how to work with Bash in Microsoft Windows.
Use the key from the Yandex Lockbox secret and create a bucket in Object Storage:
-
Save the key ID, secret key, and placement region to the AWS CLI environment variables:
AWS_ACCESS_KEY_ID=$(terraform output key_id) AWS_SECRET_ACCESS_KEY=$(terraform output key) AWS_DEFAULT_REGION="ru-central1"The AWS CLI will use the environment variables you created for authentication when performing operations with the service resources.
-
Create a bucket in Object Storage, specifying a unique bucket name in the command:
AWS CLIaws --endpoint-url=https://storage.yandexcloud.net \ s3 mb s3://<bucket_name>Result:
make_bucket: my-first-bucketThis will create a new bucket in Object Storage. When creating a bucket, a static access key is used obtained from the Yandex Lockbox secret and saved in environment variables.
You can also include the key ID, secret key, and placement region values directly in each AWS CLI command:
AWS CLIAWS_ACCESS_KEY_ID=$(terraform output key_id) \ AWS_SECRET_ACCESS_KEY=$(terraform output key) \ AWS_DEFAULT_REGION="ru-central1" \ aws --endpoint-url=https://storage.yandexcloud.net \ s3 mb s3://<bucket_name>Result:
make_bucket: my-first-bucket
How to delete the resources you created
To stop paying for the resources you created:
-
Delete the bucket.
-
Open the
static-key-in-lockbox-config.tfconfiguration file and delete your infrastructure description from it. -
Apply the changes:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
-