Managing static access keys
Some Yandex Cloud services support authentication with static access keys.
Static access keys are created for service accounts. If you do not have a service account yet, create one and assign roles to it.
Creating a static access key
Note
Creating static access keys for service accounts may be prohibited by access policies at the folder, cloud, or organization level.
To create a service account static access key:
-
In the management console
, click or in the top panel and select the folder the service account belongs to. -
In the list of services, select Identity and Access Management.
-
In the left-hand panel, select
Service accounts. -
Select the service account to create a static access key for.
-
In the top panel, click
Create new key and select Create static access key. -
Enter a description for the key and click Create.
-
Save the ID and secret key.
Alert
After you close this dialog, the key value will no longer be available.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
View the description of the command for creating a static access key:
yc iam access-key create --help -
Select a service account, e.g.,
my-robot:yc iam service-account listResult:
+----------------------+------------------+-------------------------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-------------------------------+ | aje6o61dvog2******** | my-robot | | | aje9sda1ufvq******** | account_name | account_description | +----------------------+------------------+-------------------------------+ -
Create an access key for the
my-robotservice account:yc iam access-key create --service-account-name my-robotResult:
access_key: id: aje6t3vsbj8l******** service_account_id: ajepg0mjt06s******** created_at: "2018-11-22T14:37:51Z" key_id: 0n8X6WY6S24N******** secret: JyTRFdqw8t1kh2-OJNz4JX5ZTz9Dj1rI******** -
Save the ID (
key_id) and secret key (secret). You will not be able to get the key again.
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), authenticate using the appropriate method.
-
In the configuration file, describe the resources you want to create:
resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = "<service_account_ID>" description = "<key_description>" pgp_key = "keybase:keybaseusername" output_to_lockbox { secret_id = "<Lockbox_secret_ID>" entry_for_access_key = "<secret’s_key_for_static_key_ID>" entry_for_secret_key = "<secret’s_key_for_secret_key>" } }Where:
-
service_account_id: Service account ID. This is a required setting. -
description: Key description. This is an optional setting. -
pgp_key: Additional PGP key for encrypting a private key. This is an optional setting. Specify the public part of the key in Base64 encoding or inkeybase:keybaseusernameformat. -
output_to_lockbox: Description of the Yandex Lockbox secret to save the secret key values in to prevent their possible leakage through theterraform.tfstatefile. This is an optional setting. Nested parameters:secret_id: ID of the Yandex Lockbox secret to store the key ID and secret key in. The secret must be custom.entry_for_access_key: Secret key to assign to the static access key ID value you are saving.entry_for_secret_key: Secret key to assign to the secret key value you are saving.
For more on the properties of the
yandex_iam_service_account_static_access_keyresource in Terraform, see this provider guide. -
-
Make sure the configuration files are correct.
-
In the terminal, navigate to the directory where you created your configuration file.
-
Run a check using this command:
terraform plan
If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors.
-
-
Deploy the cloud resources.
-
If the configuration is correct, run this command:
terraform apply -
Confirm creating the static access key by typing
yesin the terminal and pressing Enter.If there are any errors when creating the key, Terraform will report them.
If the key is created successfully, Terraform will store it in its state without showing it to the user. The terminal will display only the ID of the created key.You can verify that the service account key has been created using the management console
or this CLI command:yc iam access-key list --service-account-name=<service_account_name>
-
Use the create REST API method for the AccessKey resource or the AccessKeyService/Create gRPC API call.
Examples
Add a description when creating a service account
Add a description when creating an access key.
yc iam access-key create \
--service-account-name my-robot \
--description "this key is for my bucket"
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
service_account_id = "<service_account_ID>"
description = "this key is for my bucket"
pgp_key = "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+x....."
}
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"serviceAccountId": "<service_account_ID>",
"description": "this key is for my bucket"
}' \
https://iam.api.cloud.yandex.net/iam/aws-compatibility/v1/accessKeys
Deleting a static access key
To delete a service account static access key:
- In the management console
, click or in the top panel and select the folder the service account belongs to. - In the list of services, select Identity and Access Management.
- In the left-hand panel, select
Service accounts and then select the required service account. - Under Static access keys, click
in the row with the key to delete, and select Delete. - In the window that opens, click Delete.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
Get a list of static access keys of the service account by specifying its name:
yc iam access-key list \ --service-account-name <service_account_name>Result:
+----------------------+----------------------+----------------------+ | ID | SERVICE ACCOUNT ID | KEY ID | +----------------------+----------------------+----------------------+ | aje8bdtqec6l******** | ajeedllrkjma******** | R9JK04o1Dfaf******** | | ajegqpa91bta******** | ajeedllrkjma******** | cWXGkDoBRho5******** | +----------------------+----------------------+----------------------+ -
Delete the static access key by specifying its ID:
yc iam access-key delete <key_ID>
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), authenticate using the appropriate method.
-
Open the Terraform configuration file and delete the section with the static access key description.
Example of a static access key description in the Terraform configuration:
resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = "<service_account_ID>" description = "<key_description>" pgp_key = "keybase:keybaseusername" output_to_lockbox { secret_id = "<Lockbox_secret_ID>" entry_for_access_key = "<secret’s_key_for_static_key_ID>" entry_for_secret_key = "<secret’s_key_for_secret_key>" } }For more information about the resources you can create with Terraform, see this provider guide.
-
Make sure the configuration files are correct.
-
In the terminal, navigate to the directory where you created your configuration file.
-
Run a check using this command:
terraform plan
If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors.
-
-
Deploy the cloud resources.
-
If the configuration is correct, run this command:
terraform apply -
Confirm creating and deleting the resources by typing
yesin the terminal and clicking Enter.
This will create or delete all the resources you need in the specified folder. You can check the new resources and their settings or make sure the resources were deleted using the management console
and this CLI command:yc iam access-key list --service-account-id <service_account_ID> -
Use the delete REST API method for the AccessKey REST API resource or the AccessKeyService/Delete gRPC API call.